You are on page 1of 131

FortiClient - Administration Guide

VERSION 5.6.0
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com

FORTINET VIDEO GUIDE
http://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com 

FORTIGATE COOKBOOK
http://cookbook.fortinet.com

FORTINET TRAINING SERVICES
http://www.fortinet.com/training

FORTIGUARD CENTER
http://www.fortiguard.com

END USER LICENSE AGREEMENT


http://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: techdocs@fortinet.com

August 29, 2017

FortiClient 5.6.0 Administration Guide

04-560-400716-20170829
TABLE OF CONTENTS

Change Log 9
Introduction 10
FortiClient modes and features 10
Standalone mode 10
Managed mode 10
Feature comparison of standalone and managed modes 11
Fortinet product support for FortiClient 12
FortiClient EMS 13
FortiManager 13
FortiGate 13
FortiAnalyzer 14
FortiSandbox 14
What’s New in FortiClient 5.6 15
FortiClient 5.6.0 15
FortiClient install option 15
Improved FortiClient compliance feature 15
Vulnerability scan now supports FortiClient (Mac OS X) 15
Vulnerability Scan GUI 15
User Avatar retrieval from cloud applications 15
User Avatar sent to FortiAnalyzer 15
Improved remote logging to FortiAnalyzer 16
Sandbox detection for FortiClient (Windows) 16
New SSL VPN Windows Driver for FortiClient (Windows) 16
VPN Auto-Reconnect improvement 16
Configurator and Rebranding Tools 16
Get Started 17
Get started with standalone mode 17
Get started with managed mode 18
Managed mode concepts 19
FortiGate and FortiClient profiles 19
EMS and endpoint profiles 20
Telemetry connection options 21
Telemetry Gateway IP Lists 23
EMS and automatic upgrade of FortiClient 23
Provisioning Preparation 24
Installation requirements 24
Licensing 25
FortiClient licenses for FortiGate 25
FortiClient licenses for EMS 25
FortiClient setup types and modules 26
EMS and FortiClient setups 26
FortiGate compliance and FortiClient setups 27
Firmware images and tools 27
Microsoft Windows 27
Mac OS X 28
Where to download FortiClient installation files 28
Custom FortiClient installation files and rebranding 28
Provisioning 30
Install FortiClient on computers 30
Microsoft Windows computer 30
Microsoft Server 32
Mac OS X computer 32
Install FortiClient on infected systems 33
Install FortiClient as part of cloned disk images 34
Deploy FortiClient using Microsoft AD servers 34
Deploy FortiClient using Microsoft AD user groups 35
Configure users and groups on AD servers 36
Configure FortiAuthenticator 36
Configure FortiGate 36
Connect FortiClient Telemetry to FortiGate 37
Monitor FortiClient connections 37
Upgrade FortiClient 38
FortiClient Telemetry 39
Telemetry data 39
How FortiClient locates FortiGate or EMS 39
Connect FortiClient Telemetry after installation 40
Remember gateway IP addresses 41
Compliance 43
Enable compliance 43
Connect FortiClient Telemetry manually 43
Disconnect FortiClient Telemetry 44
View compliance status 44
Standalone mode 44
Managed mode with EMS 45
Managed mode with FortiGate 46
Access endpoint details 48
View user details 48
Specify user picture 48
View FortiGate compliance rules 50
View gateway IP lists 50
Forget gateway IP addresses 51
On-net / off-net status with FortiGate and EMS 51
Fix not compliant (blocked) 53
View unmet compliance rules 54
Fix Not-Compliant Settings 55
Patch software vulnerabilities 56
Examples of blocked network access 56
Fix not compliant (warning) 57
Quarantined endpoints 59
Sandbox Detection 60
Enable Sandbox Detection 60
Disable Sandbox Detection 61
Configure Sandbox Detection 62
Configure submission, access, and remediation 62
Configure exceptions 64
Manage the Sandbox Detection exclusion list 64
Scan with FortiSandbox on demand 65
View Sandbox Detection results 65
View FortiSandbox scan results 66
View quarantined files 66
Submit quarantined files for scanning 68
Restore quarantined files 68
Delete quarantined files 68
Use the pop-up window 69
View notifications 70
Antivirus 72
Enable realtime protection 72
Third-party antivirus software and realtime protection 72
Disable realtime protection 73
Configure AntiVirus 73
Block access and communication channels 73
Update Antivirus database 74
Schedule antivirus scanning 74
Manage the AntiVirus exclusion list 76
Configure additional Antivirus options 76
Scan with AntiVirus on demand 77
Scan now 77
Scan files or folders 77
Submit files to FortiGuard for analysis 78
View AntiVirus scan results 78
View quarantined threats 78
View site violations 80
View alerts 80
View realtime protection events 81
View FortiClient engine and signature versions 81
Web Security/Web Filter 83
Web Security 83
Enable Web Security 83
Disable Web Security 84
Web Filter 84
Enable Web Filter 84
Disable Web Filter 85
Configure web filtering 85
Configure site categories 85
Manage the Web Filter/Web Security exclusion list 86
Configure settings 88
View violations 89
Application Firewall 90
Enable Application Firewall 90
Disable Application Firewall 91
View blocked applications 91
View application firewall profiles 91
Remote Access 93
Enable remote access 93
Configure VPN connections 93
Configure SSL VPN connections 93
Configure IPsec VPN connections 94
Connect VPNs 97
Connect SSL and IPsec VPNs 97
Connect VPNs with FortiToken Mobile 98
Save password, auto connect, and always up 99
Access to certificates in Windows Certificates Stores 100
Advanced features (Microsoft Windows) 101
Activate VPN before Windows Log on 102
Connect VPNs before logging on (AD environments) 102
Create redundant IPsec VPNs 102
Create priority-based SSL VPN connections 103
Advanced features (Mac OS X) 103
Create redundant IPsec VPNs 104
Create priority-based SSL VPN connections 104
VPN tunnel & script 105
Windows 105
OS X 106
Vulnerability Scan 107
Compliance and vulnerability scanning 107
Enable vulnerability scan 107
Scan now 107
Cancel scan 109
Automatically fix detected vulnerabilities 109
Review detected vulnerabilities before fixing 110
Manually fix detected vulnerabilities 111
View details about vulnerabilities 112
View vulnerability scan history 113
Settings 114
System 114
Backup or restore full configuration 114
Logging 114
Enable logging for features 114
Send logs to FortiAnalyzer or FortiManager 115
Export the log file 116
Clear entries in the log file 116
VPN options 116
Antivirus options 117
Advanced options 117
Single Sign-On mobility agent 118
FortiClient/FortiAuthenticator protocol 118
Configuration lock 120
FortiTray 120
Establishing VPN connections from FortiTray 120
Diagnostic Tool 121
Appendix A - FortiClient API 123
Overview 123
API reference 123
Appendix B- FortiClient Log Messages 125
Appendix C - Vulnerability Patches 126
FortiClient (Windows) 126
Automatic vulnerability patching 126
Manual vulnerability patching 126
FortiClient (OS X) 127
Automatic vulnerability patching 127
Manual vulnerability patching 127
Appendix D - FortiClient Processes 128
FortiClient (Windows) processes 128
FortiClient (OS X) processes 129
Change Log

Change Log

Date Change Description

2017-06-15 Initial release of FortiClient 5.6.0.

2017-07-10 Added EMS and automatic upgrade of FortiClient on page 23.

2017-07-12 Added Appendix D - FortiClient Processes on page 128.

2017-08-03 Clarified Windows server supports Vulnerability Scan as well as Antivirus.

2017-08-04 Added information about Vulnerability Scan and obsolete applications. See Manually
fix detected vulnerabilities on page 111.

2017-08-08 Add information about FortiSandbox settings. See Configure submission, access, and
remediation on page 62.

2017-08-29 Clarified that the FortiClient Configurator Tool is free and available for download from
the Personal Toolkit section of FNDN.

9 Administration Guide
Fortinet Technologies Inc.
Introduction

FortiClient is an all-in-one comprehensive endpoint security solution that extends the power of Fortinet’s
Advanced Threat Protection (ATP) to end user devices. As the endpoint is the ultimate destination for malware
that is seeking credentials, network access, and sensitive information, ensuring that your endpoint security
combines strong prevention with detection and mitigation is critical.

This document is written for FortiClient (Windows) 5.6.0. Not all features described in
this document are supported for FortiClient (OS X) 5.6.0.

FortiClient modes and features

FortiClient is available in the following modes: Standalone mode and Managed mode.

Standalone mode
In standalone mode, FortiClient is not connected to FortiGate or EMS. In this mode, FortiClient is free both for
private individuals and commercial businesses to use; no license is required. See also Get started with
standalone mode on page 17.

Support for FortiClient in standalone mode is provided on the Fortinet Forums (for-
um.fortinet.com). Phone support is not provided.

Managed mode
In managed mode, FortiClient is connected to EMS or FortiGate. Another option is to connect FortiClient to
EMS and FortiGate. In managed mode, FortiClient licensing is applied to FortiGate or EMS. No separate license
is required for FortiClient itself.

When connected only to EMS, FortiClient is managed by EMS. However, FortiClient cannot participate in
network compliance or Fortinet's Security Fabric.

When connected to FortiGate, FortiClient integrates with Security Fabric to provide endpoint awareness,
compliance, and enforcement by sharing endpoint telemetry irregardless of device location, such as, corporate
headquarters or a café. At its core, FortiClient automates prevention of known and unknown threats through its
built-in host-based security stack and integration with FortiSandbox. FortiClient also provides secure remote
access to corporate assets via VPN with native Two-Factor Authentication coupled with Single Sign On.

FortiClient works cooperatively with Fortinet’s Security Fabric. This is done by extending it down to the endpoints
to secure them via security profiles, by sharing endpoint telemetry to increase awareness of where systems, users
and data reside within an organization and by enabling the implementation of proper segmentation to protect
these endpoints.

Administration Guide 10
Fortinet Technologies Inc.
Introduction FortiClient modes and features

At regular intervals, FortiClient sends telemetry data to the nearest associated FortiGate. This visibility coupled
with built-in controls from FortiGate allows the security administrator to construct a policy to deny access to
endpoints with known vulnerabilities or to quarantine compromised endpoints with a single click.

See also Get started with managed mode on page 18.

Feature comparison of standalone and managed modes


The following table provides a feature comparison between standalone FortiClient (free version) and managed
FortiClient (licensed version).

Both Modes (Free and Licensed) Only With Managed Mode (Licensed)

Installation Options Security Fabric and Network Access


l Security Fabric Agent: Telemetry, vulnerability Compliance
scanning, vulnerability patching l Participation in Security Fabric
l Secure Remote Access: SSL and IPsec VPN l Compliance status
components l Define and enforce enterprise security
l Advanced Persistent Threat policies when FortiClient used with
(APT): FortiSandbox detection and quarantine FortiGate.
components
l Additional Security Features: AntiVirus, Web
Filtering, Single Sign On, Application Firewall.
Select one, two, or all of the additional
security features.

Advanced Persistent Threat Central Monitoring and Management


l Integration with FortiSandbox l Centralized FortiClient monitoring with
FortiGate or EMS
l Centralized configuration provisioning and
deployment when FortiClient used with
EMS

AntiVirus Central Logging


l Real-time Antivirus Protection l Upload logs to FortiAnalyzer or
l Antirootkit/Antimalware FortiManager. FortiClient must connect to
l Grayware Blocking (Adware/Riskware) FortiGate or EMS to upload logs to
FortiAnalyzer or FortiManager.

Web Security
l Web Filtering
l YouTube Education Filter

Application Control
l Application Firewall
l Block Specific Application Traffic

11 Administration Guide
Fortinet Technologies Inc.
Fortinet product support for FortiClient Introduction

Both Modes (Free and Licensed) Only With Managed Mode (Licensed)

Remote Access
l SSL VPN
l IPsec VPN
l Client Certificate Support
l X.509 Certificate Support
l Elliptical Curve Certificate Support
l Two-Factor Authentication

Vulnerability Management
l Vulnerability scanning
l Links to FortiGuard with information on the
impact and recommended actions
l Automatic software patching for identifies
vulnerabilities
l List of software that requires manual
installation of software patches

Logging
l VPN, Application Firewall, Antivirus, Web
Filter, Update, and Vulnerability Scan Logging
l View logs locally

Fortinet product support for FortiClient

The following Fortinet products work together to support FortiClient in managed mode:

l FortiClient EMS
l FortiManager
l FortiGate
l FortiAnalyzer
l FortiSandbox

Administration Guide 12
Fortinet Technologies Inc.
Introduction Fortinet product support for FortiClient

FortiClient EMS
FortiClient EMS runs on a Windows server. EMS can manage FortiClient endpoints by deploying FortiClient
(Windows) and profiles to endpoints, and the endpoints can connect FortiClient Telemetry to FortiGate or EMS.
FortiClient endpoints connect to FortiGate to participate in Security Fabric or compliance enforcement.
FortiClient endpoints connect to EMS to be managed in real time.

For information on EMS, see the FortiClient EMS Administration Guide, available in the Fortinet Document
Library.

FortiManager
FortiManager provides central FortiClient management for FortiGate devices that are managed by FortiManager.
In FortiManager, you can create one or more FortiClient profiles that you can assign to multiple FortiGate
devices. You can also import FortiClient profiles from one FortiGate device and assign the FortiClient profile to
other FortiGate devices. When endpoints are connected to managed FortiGate devices, you can use
FortiManager to monitor endpoints from multiple FortiGate devices.

For information on FortiManager, see the FortiManager Administration Guide, available in the Fortinet
Document Library.

FortiGate
FortiGate provides network security. FortiGate devices define compliance rules for NAC (network access
control) for connected endpoints, and FortiClient communicates the compliance rules from FortiGate to
endpoints. FortiGate devices communicate between endpoints, EMS, and FortiManager, when FortiManager is
used.

When FortiClient Telemetry is connected to FortiGate, endpoints can participate in Security Fabric or compliance
enforcement.

For information on FortiGate, see the FortiOS Handbook, available in the Fortinet Document Library.

13 Administration Guide
Fortinet Technologies Inc.
Fortinet product support for FortiClient Introduction

FortiAnalyzer
FortiAnalyzer can receive logs from endpoints that are connected to FortiGate or EMS, and you can use
FortiAnalyzer to analyze the logs and run reports. FortiAnalyzer receives logs directly from FortiClient.

For information on FortiAnalyzer, see the FortiAnalyzer Administration Guide, available in the Fortinet
Document Library.

FortiSandbox
FortiSandbox offers the capabilities to analyze new, previously unknown, and undetected virus samples in
realtime. Files sent to it are scanned first, using similar Antivirus (AV) engine and signatures as are available on
FortiOS and FortiClient. If the file is not detected but is an executable file, it is run in a Microsoft Windows virtual
machine (VM) and monitored. The file is given a rating or score based on its activities and behavior in the VM.

As FortiSandbox receives files for scanning from various sources, it collects and generates AV signatures for such
samples. FortiClient periodically downloads the latest AV signatures from the FortiSandbox, and applies them
locally to all real-time and on-demand AV scanning.

For more information, see the FortiSandbox Administration Guide, available in the Fortinet Document Library.

This feature requires a FortiSandbox running version 2.1 or newer and is only available
on FortiClient (Windows).

Administration Guide 14
Fortinet Technologies Inc.
What’s New in FortiClient 5.6

The following is a list of new features and enhancements in FortiClient 5.6.

This document was written for FortiClient (Windows) 5.6.0. Not all features described
in this document are supported for FortiClient (Mac OS X) 5.6.0.

FortiClient 5.6.0

The following is a list of new features in FortiClient version 5.6.0.

FortiClient install option


FortiClient installer now only installs features required for the solution chosen by user at the time of install. See
FortiClient setup types and modules on page 26.

Improved FortiClient compliance feature


FortiClient endpoint compliance is now enforced by FortiOS where administrator can either warn or block non-
compliant endpoints. FortiClient dashboard will display the compliance status and reason for non-compliance.
FortiClient dashboard will also include information on the configuration settings that is causing non-compliance.
See Compliance on page 43.

Vulnerability scan now supports FortiClient (Mac OS X)


The Vulnerability Scan and auto-patching feature is now supported in FortiClient (Mac OS X).

Vulnerability Scan GUI


The FortiClient GUI for the Vulnerability feature has been improved to show details on detected vulnerabilities
and patch status and to identify software failed to be auto-patched. The improved display of the results helps
improve usability, where the user can easily identify outstanding vulnerabilities that may need to be fixed
manually. See Vulnerability Scan on page 107.

User Avatar retrieval from cloud applications


FortiClient can now be used to retrieve username and user avatar from third-party cloud applications, such as
LinkedIn, Salesforce, and Google. See Specify user picture on page 48.

User Avatar sent to FortiAnalyzer


FortiClient can now send user avatar and device information to FortiAnalyzer so that it can be used in FortiView
and reports.

15 Administration Guide
Fortinet Technologies Inc.
FortiClient 5.6.0 What’s New in FortiClient 5.6

Improved remote logging to FortiAnalyzer


FortiClient endpoints now send detailed logs to FortiAnalyzer so that data can be used for FortiView and custom
reports. See Logging on page 114.

Sandbox detection for FortiClient (Windows)


With FortiClient (Windows), the Sandbox Detection feature can be used to send files to FortiSandbox for analysis
without having to install the AntiVirus feature. This feature can use used with other third-party AV products
installed on the endpoint. See Sandbox Detection on page 60.

New SSL VPN Windows Driver for FortiClient (Windows)


New SSL VPN Windows Driver has been introduced with FortiClient (Windows), which will help resolve various
SSL VPN connection issues. The new driver will help increase the performance by 20% and provide a stable VPN
connection.

VPN Auto-Reconnect improvement


When FortiClient VPN auto-connect feature is turned on, and VPN connection fails, a permanent pop-up window
is displayed to inform the user about the connection failure. FortiClient will keep re-trying to connect VPN in the
background, until the user selects an option from the pop-up window.

Configurator and Rebranding Tools


FortiClient Configurator Tool, which is used to create custom installers, will be available for download for free
from Fortinet Developer Network site (http://fndn.fortinet.net/). FortiClient Rebranding Tool is available for
download with FNDN site license.

FortiClient Rebranding Tool is currently only available for FortiClient (Windows).

Administration Guide 16
Fortinet Technologies Inc.
Get Started

FortiClient can be used in standalone or managed mode. This section describes how to get started with each
mode. It also includes the key concepts that administrators and endpoint users should be aware of when using
FortiClient in managed mode.

Get started with standalone mode

In standalone mode, FortiClient software is installed to computers or devices that have Internet access and are
running a supported operating system. After FortiClient is installed, FortiClient automatically connects to
FortiGuard Center (http://www.fortiguard.com) to protect the computer or device.

To get started with FortiClient in standalone mode:

1. Prepare to install FortiClient. See Provisioning Preparation on page 24.


During installation, endpoint users will choose which FortiClient modules to install. See FortiClient setup
types and modules on page 26.

2. Install FortiClient on computers or devices with internet access. See Provisioning on page 30.
3. Launch FortiClient console.
FortiClient connects to the Fortinet FortiGuard server to protect the computer.

4. Configure FortiClient settings. See Settings on page 114.


5. Configure the installed components.
Depending on what FortiClient modules were installed, endpoint users can configure one, more, or all of the
following modules:

l Sandbox Detection—see Sandbox Detection on page 60


l Antivirus—see Antivirus on page 72
l Web Security—see Web Security/Web Filter on page 83
l Remote access—see Remote Access on page 93
6. Use the installed modules by using the tabs in FortiClient console.
Depending on what modules were installed, one, more, or all of the following tabs are available in FortiClient
console:

l Sandbox Detection
l Antivirus
l Web Security
l Remote Access
l Vulnerability Scan—see Vulnerability Scan on page 107

The Compliance tab is visible, but not used in standalone mode.

17 Administration Guide
Fortinet Technologies Inc.
Get started with managed mode Get Started

Get started with managed mode

In managed mode, FortiClient software is used with FortiGate or EMS. Another option is integrated mode where
FortiGate and EMS are used together with FortiClient.

In managed mode, FortiClient software is installed to computers or devices on your network that have Internet
access and are running a supported operating system. The computers or devices are referred to as endpoints.
After FortiClient software is installed on endpoints, FortiClient performs the following actions:

l Automatically connects to FortiGuard Center (http://www.fortiguard.com) to protect the endpoint


l Automatically attempts to connect FortiClient Telemetry to FortiGate or EMS
The endpoint user confirms the request to complete the FortiClient Telemetry connection to FortiGate or EMS.

Administrators can optionally configure a FortiClient Telemetry connection that


requires no confirmation by the endpoint user. See Custom FortiClient installation files
and rebranding on page 28.

After FortiClient Telemetry is connected to FortiGate or EMS, FortiClient receives a profile from FortiGate and/or
EMS, and the endpoint is managed.

To get started with FortiClient in managed mode:

1. (Administrators) Configure FortiGate and/or EMS to work with FortiClient.


The following table identifies where to find information about configuring FortiGate and EMS.

FortiGate See the FortiOS Handbook - Security Profiles.

EMS See the FortiClient EMS Administration Guide.

2. (Administrators) Prepare to provision FortiClient. See Provisioning Preparation on page 24.


Administrators can choose which FortiClient modules to install. See FortiClient setup types and modules on
page 26.

3. (Administrators) Provision FortiClient on endpoints. See Provisioning on page 30.


After FortiClient installs on endpoints, FortiClient Telemetry attempts connection to FortiGate or EMS. For
more information, see FortiClient Telemetry on page 39.

After FortiClient Telemetry is connected to FortiGate or EMS, FortiClient receives a profile from FortiGate
and/or EMS. The computer with FortiClient installed and FortiClient Telemetry connected is now a managed
endpoint.

4. (Administrators) Manage endpoints by using EMS. Administrators can also use FortiOS to monitor endpoints.
5. (Endpoint Users) Configure the installed components by using FortiClient console.
Depending on what FortiClient modules were installed, whether FortiGate compliance rules are used, and
whether an EMS administrator has locked settings, endpoint users can configure none or some of the
following modules:

l Sandbox Detection
l Antivirus
l Web Filter

Administration Guide 18
Fortinet Technologies Inc.
Get Started Managed mode concepts

l Application Firewall
l Remote Access
6. (Endpoint Users) Use the installed modules by using FortiClient console.
Depending on what modules were installed, one, more, or all of the following tabs are available in FortiClient
console:

l Compliance
l Sandbox Detection
l Antivirus
l Web Filter
l Application Firewall
l Remote Access
l Vulnerability Scan

Managed mode concepts

This section introduces the following concepts related to administering FortiClient in managed mode:

l FortiGate and FortiClient profiles on page 19


l EMS and endpoint profiles on page 20
l Telemetry connection options on page 21
l Telemetry Gateway IP Lists on page 23

In FortiOS, administrators configure a FortiClient Profile, and in EMS administrators


configure an endpoint profile, and these profiles can be downloaded to FortiClient in
managed mode. Unless referring specifically to a profile created by using FortiOS or
EMS, this guide uses the term profile when referring to either a FortiClient Profile or an
endpoint profile that is received by FortiClient.

FortiGate and FortiClient profiles


In FortiOS, administrators can configure a FortiClient profile and apply the profile to endpoints. The profile
achieves the following goals:

l Defines compliance rules for endpoint access to the network through FortiGate
l Defines the non-compliance action for FortiGate—that is, how FortiGate handles endpoints that fail to comply with
compliance rules

Compliance rules
FortiGate compliance rules define what configuration FortiClient software and the endpoint must have for the
endpoint to maintain access to the network through FortiGate. The following is a sample of the compliance rules
that administrators can enable or disable in a FortiClient profile by using the FortiOS GUI:

l Telemetry data
l Endpoint vulnerability scan on client
l System compliance:

19 Administration Guide
Fortinet Technologies Inc.
Managed mode concepts Get Started

l Minimum FortiClient version


l What log types FortiClient will send to FortiAnalyzer
l Security posture check:
l Realtime protection
l Third party Antivirus on Windows
l Web filter
l Application firewall
Administrators can also define additional compliance rules by using the FortiOS CLI.

Although the compliance rules define what configuration FortiClient software and the
endpoint must have, the FortiClient profile from FortiGate does not include any con-
figuration information. The endpoint user or administrator is responsible for con-
figuring FortiClient console to adhere to the compliance rules. An administrator can
use EMS to configure FortiClient console.

Non-compliance action
In addition to compliance rules, the FortiClient profile also defines how FortiGate will handle endpoints with a
not-compliant status. FortiGate can block and quarantine endpoints, or FortiGate can warn endpoints about the
not-compliant status, but allow network access. Administrators set the rules and non-compliance action by using
FortiOS, and FortiGate enforces the rules.

FortiGate 5.6.0 enforces compliance rules for FortiClient endpoints.

FortiClient console displays compliant and not-compliant status as well as information about how endpoint users
can return not-compliant endpoints to a status of compliant. The administrator or endpoint user is responsible for
reading the information in FortiClient console and updating FortiClient software on the endpoint to adhere to the
compliance rules. Endpoint users can edit settings in the FortiClient console that are not controlled by the
compliance rules or EMS.

Compliance rules configured by using the CLI


When using FortiOS to create FortiClient profiles, administrators can configure some rules only by using the
FortiOS CLI. Administrators must use the CLI to configure the following options: 

l Allowed operating system for endpoints


l Registry entries for endpoints
l File in the file system on endpoints
For more information, see the CLI Reference for FortiOS.

EMS and endpoint profiles


In EMS, administrators can configure an endpoint profile and apply the profile to endpoints. The profile defines
the configuration for FortiClient software on endpoints. Administrators can also use the endpoint profile to install
and upgrade FortiClient on endpoints. The profile consists of the following sections:

Administration Guide 20
Fortinet Technologies Inc.
Get Started Managed mode concepts

l FortiClient Installer
l Antivirus
l Sandbox
l Web Filter
l Firewall
l VPN
l Vulnerability Scan
l System Settings
When the endpoint receives the configuration information in the endpoint profile, the settings in FortiClient
console are automatically updated. Settings in FortiClient console are locked and read-only when EMS provides
the configuration in a profile.

For more information about configuring endpoint profiles by using EMS, see the FortiClient EMS Administration
Guide, available in the Fortinet Document Library.

Telemetry connection options


FortiClient Telemetry can connect to the following products:

l EMS—see EMS on page 21


l FortiGate—see FortiGate on page 21
l FortiGate and EMS in integrated mode—see FortiGate and EMS integration on page 22

EMS manages FortiClient endpoints by using the FortiClient Telemetry connection.


Endpoints connect FortiClient Telemetry to FortiGate to participate in Security Fabric
or compliance enforcement. FortiGate units do not manage endpoints.

EMS
In this configuration, FortiClient Telemetry connects to EMS, and FortiClient receives a profile from EMS. The
profile contains the configuration information for FortiClient, and EMS manages FortiClient endpoints. Network
Access Control (NAC) and compliance are not supported.

FortiGate
In this configuration, FortiClient Telemetry is connected to FortiGate, and FortiClient receives a profile from
FortiGate. The profile contains the compliance rules for FortiClient, but not any configuration information for
FortiClient. NAC and compliance can be supported.

21 Administration Guide
Fortinet Technologies Inc.
Managed mode concepts Get Started

FortiGate and EMS integration


In this configuration, FortiClient Telemetry connects to FortiGate to receive compliance rules. This is the primary
Telemetry connection. NAC and compliance are supported. FortiClient Telemetry also connects to EMS to
receive a profile of configuration information. This is the secondary Telemetry connection. This configuration is
sometimes called integrated mode.

FortiGate does not provide configuration information for FortiClient and the endpoint.
Endpoint users must manually configure FortiClient console, or an administrator must
configure FortiClient by using an EMS endpoint profile.

Following is a summary of how the FortiClient Telemetry connection works in integrated mode:

l FortiClient Telemetry connects to FortiGate. This is the primary FortiClient Telemetry connection.
l FortiClient Telemetry connects to EMS. This is the secondary FortiClient Telemetry connection.
l FortiClient receives a profile of compliance rules from FortiGate.
l FortiClient receives a profile of configuration information from EMS.

Administrators should ensure that the configuration information from EMS matches


the compliance rules set on FortiGate to avoid conflicting settings.

Administration Guide 22
Fortinet Technologies Inc.
Get Started Managed mode concepts

Telemetry Gateway IP Lists


The Telemetry Gateway IP List is a list of gateway IP addresses that FortiClient in managed mode can use to
connect FortiClient Telemetry to FortiGate or EMS. After FortiClient installation completes on the endpoint,
FortiClient automatically launches and uses the Telemetry Gateway IP List to locate FortiGate and/or EMS for
FortiClient Telemetry connection.

After FortiClient is installed on the endpoint and FortiClient Telemetry is connected to FortiGate and/or EMS,
endpoint users can view the Telemetry Gateway IP List in the FortiClient console. See View gateway IP lists on
page 50.

Configure Telemetry Gateway IP Lists (EMS)


FortiClient EMS includes the option to create one or more Telemetry Gateway IP Lists. The list can include
IP addresses for EMS and for FortiGate. Administrators can assign Telemetry Gateway IP Lists to domains and
workgroups in EMS. Administrators can also update the assigned Telemetry Gateway IP Lists after FortiClient is
installed, and the updated lists are pushed to endpoints. See the FortiClient EMS Administration Guide.

Configure Telemetry Gateway IP Lists (FortiGate)


If administrators are using FortiGate without EMS, administrators can add Telemetry Gateway IP addresses to
the FortiClient installer by using the Configurator Tool. See Custom FortiClient installation files and rebranding
on page 28.

EMS and automatic upgrade of FortiClient


When EMS is used to manage FortiClient endpoints, you can use EMS to create a FortiClient installer that is
configured to automatically upgrade FortiClient on endpoints to the latest version.

After the FortiClient installer with automatic upgrade enabled is deployed to endpoints, FortiClient is
automatically upgraded to the latest version when a new version of FortiClient is available via EMS. For more
information, see the FortiClient EMS Administration Guide.

23 Administration Guide
Fortinet Technologies Inc.
Provisioning Preparation

Before provisioning FortiClient, administrators and endpoint users should understand the installation
requirements and the FortiClient setup types available for installation. Administrators should also be aware of the
licensing requirements if you are installing FortiClient in managed mode.

This section also identifies what firmware images and tools are available for FortiClient and where you can
download the FortiClient installers.

Installation requirements

The following table lists operating system support and the minimum system requirements.

Operating System Support Minimum System Requirements

l Microsoft Windows 7 (32-bit and 64-bit) l Microsoft Internet Explorer version 8 or later
l Microsoft Windows 8 (32-bit and 64-bit) l Microsoft Windows compatible computer with Intel
l Microsoft Windows 8.1 (32-bit and 64-bit) processor or equivalent
l Microsoft Windows 10 (32-bit and 64-bit) l Compatible operating system and minimum
512MB RAM
FortiClient 5.6.0 does not support Microsoft l 600MB free hard disk space
Windows XP and Microsoft Windows Vista. l Native Microsoft TCP/IP communication protocol
l Native Microsoft PPP dialer for dial-up connections
l Ethernet NIC for network connections
l Wireless adapter for wireless network connections
l Adobe Acrobat Reader for documentation
l MSI installer 3.0 or later.

l Microsoft Windows Server 2008 R2 or newer l Microsoft Internet Explorer version 8 or later
l Microsoft Windows compatible computer with Intel
processor or equivalent
l Compatible operating system and minimum
512MB RAM
l 600MB free hard disk space
l Native Microsoft TCP/IP communication protocol
l Native Microsoft PPP dialer for dial-up connections
l Ethernet NIC for network connections
l Wireless adapter for wireless network connections
l Adobe Acrobat Reader for documentation
l MSI installer 3.0 or later.

Administration Guide 24
Fortinet Technologies Inc.
Provisioning Preparation Licensing

Operating System Support Minimum System Requirements

l Mac OS X v10.9 Mavericks l Apple Mac computer with an Intel processor


l Mac OS X v10.10 Yosemite l 256MB of RAM
l Mac OS X v10.11 El Capitan l 20MB of hard disk drive (HDD) space
l Mac OS X v 10.12 Sierra l TCP/IP communication protocol
l Ethernet NIC for network connections
l Wireless adapter for wireless network connections

For Microsoft Windows servers, the AntiVirus and Vulnerability Scan features for
FortiClient are supported.

Licensing

FortiClient in standalone mode does not require a license.

FortiClient in managed mode requires a license. In managed mode, FortiClient licensing is applied to FortiGate
or EMS.

When using the ten (10) free licenses for FortiClient in managed mode, support is
provided on the Fortinet Forums (forum.fortinet.com). Phone support is not provided
when using the free licenses. Phone support is provided for paid licenses.

FortiClient licenses for FortiGate


FortiGate 30 series and higher models include a FortiClient license for ten (10), free, connected endpoints. For
additional connected endpoints, you must purchase a FortiClient license subscription. Contact your Fortinet sales
representative for information about FortiClient licenses.

For a video about applying FortiClient licenses to FortiGate, see the How to Purchase
or Renew FortiClient Endpoint Subscription video at https://video.-
fortinet.com/product/forticlient.

FortiClient licenses for EMS


EMS includes a FortiClient license for ten (10), free, connected endpoints for evaluation. For additional
connected endpoints, you must purchase a FortiClient license subscription. Contact your Fortinet sales
representative for information about FortiClient licenses.

For a video about applying FortiClient licenses to EMS, see the How to License
FortiClient EMS video at https://video.fortinet.com/product/forticlient-ems.

25 Administration Guide
Fortinet Technologies Inc.
FortiClient setup types and modules Provisioning Preparation

FortiClient setup types and modules

The Advanced Persistent Threat (APT) module is available only for FortiClient (Win-
dows).

When you install FortiClient, you can choose which setup type and modules to install:

l Security Fabric Agent


l Secure Remote Access
l Advanced Persistent Threat (APT) Components
l Additional Security Features
The following table summarizes the impact of the options:

Setup Type Description Impact on FortiClient Console

Security Fabric Enabled by default, and you cannot disable Displays the following tabs:
Agent Security Fabric Agent. Installs components to l Compliance

support the Security Fabric available with l Vulnerability Scan


FortiGates, including FortiClient Telemetry, vul-
nerability scanning, and vulnerability remedi-
ation.

Secure Remote Optional. Supports SSL and IPsec VPN access. Displays the Remote Access tab.
Access

Advanced Optional. Supports FortiSandbox. Displays the Sandbox Detection


Persistent Threat tab to let you connect to a FortiSand-
(APT) Components box unit.

Additional Security Optional. Supports AntiVirus, Web Filtering, Displays the following tabs when all
Features Application Firewall, and Single Sign On. You security features are selected:
can select one, more, or all security features. l AntiVirus
l Web Filtering
l Application Firewall
When Single Sign On is selected,
FortiClient supports the single sign
on feature.
When a security feature is not selec-
ted, the tab is hidden from view in
FortiClient console.

EMS and FortiClient setups


For FortiClient in managed mode, you can use an EMS profile to disable installed components in FortiClient
console, but you cannot use an EMS profile to enable uninstalled components in FortiClient console. See
EMS and endpoint profiles on page 20.

Administration Guide 26
Fortinet Technologies Inc.
Provisioning Preparation Firmware images and tools

For example, if you install FortiClient with APT components selected, the Sandbox Detection tab is included in
FortiClient console, and you can use an EMS profile to disable the Sandbox Detection tab. However, if you install
FortiClient with APT components cleared, the Sandbox Detection tab is excluded from FortiClient console, and
you cannot use an EMS profile to enable the Sandbox Detection tab.

FortiGate compliance and FortiClient setups


For endpoints that will have FortiClient Telemetry connected to FortiGate with endpoint compliance enabled,
ensure that FortiClient is installed with the setup required by the FortiGate compliance rules. For more
information about compliance rules, see Compliance rules on page 19.

For example, if the FortiGate compliance rules require the Web Filter tab to be enabled in FortiClient console,
FortiClient must be installed with Additional Features and Web Filtering selected to meet the compliance rules.
If FortiClient is installed with an incorrect setup for the compliance rules, you must uninstall FortiClient and
reinstall FortiClient with the setup required by the compliance rules.

Firmware images and tools

Firmware images and tools are available for Microsoft Windows and Mac OS X. See also Custom FortiClient
installation files and rebranding on page 28.

Microsoft Windows
The following files are available in the firmware image file folder:

l FortiClientSetup_5.6.xx.xxxx.exe
Standard installer for Microsoft Windows (32-bit).

l FortiClientSetup_5.6.xx.xxxx.zip
A zip package containing FortiClient.msi and language transforms for Microsoft Windows (32-bit). Some
properties of the MSI package can be customized with FortiClient Configurator tool.

l FortiClientSetup_5.6.xx.xxxx_x64.exe
Standard installer for Microsoft Windows (64-bit).

l FortiClientSetup_5.6.xx.xxxx_x64.zip
A zip package containing FortiClient.msi and language transforms for Microsoft Windows (64-bit). Some
properties of the MSI package can be customized with FortiClient Configurator tool.

l FortiClientTools_5.6.xx.xxxx.zip
A zip package containing miscellaneous tools, including VPN Automation files:

The following tools and files are available in the FortiClientTools_5.6.xx.xxxx.zip file:

l FortiClientVirusCleaner
A virus cleaner.

l OnlineInstaller
This file downloads and installs the latest FortiClient file from the public FDS.

l SSLVPNcmdline

27 Administration Guide
Fortinet Technologies Inc.
Where to download FortiClient installation files Provisioning Preparation

Command line SSL VPN client.

l SupportUtils
Includes diagnostic, uninstallation, and reinstallation tools.

l VPNAutomation
A VPN automation tool.

Mac OS X
The following files are available in the firmware image file folder:

l FortiClient_5.6.x.xxx_macosx.dmg
Standard installer or Mac OS X.

l FortiClientTools_5.6.x.xxx_macosx.tar
FortiClient includes various utility tools and files to help with installations.

The following tools and files are available in the FortiClientTools .tar file:

l OnlineInstaller
This file downloads and installs the latest FortiClient file from the public FDS.

Where to download FortiClient installation files

You can download the FortiClient installation files from the following sites:

l Fortinet Customer Service & Support: https://support.fortinet.com


Requires a support account with a valid support contract. Download either the Microsoft Windows (32-bit/64-
bit) or the Mac OS X installation file.

l FortiClient homepage: www.forticlient.com


Download the FortiClient online installation file. The installer file performs a virus and malware scan of the
target system prior to installing FortiClient.

Custom FortiClient installation files and rebranding

The following tools are available from Fortinet Developer Network (FNDN) at https://fndn.fortinet.net/:

l FortiClient Configurator Tool


l FortiClient Rebranding Tool

An account is required to access FNDN. Information about creating an account is avail-


able at https://fndn.fortinet.net/.

You can use the free FortiClient Configurator Tool to create customized FortiClient installation files, and you can
use the licensed FortiClient Rebranding Tool to create customized FortiClient Installation file as well as rebrand
FortiClient.

Administration Guide 28
Fortinet Technologies Inc.
Provisioning Preparation Custom FortiClient installation files and rebranding

Starting with FortiClient 5.6.0, the FortiClient Configurator Tool is available for free
download from the Tools > Personal Toolkit section of FNDN
at https://fndn.fortinet.net/.

29 Administration Guide
Fortinet Technologies Inc.
Provisioning

FortiClient can be installed on a standalone computer by using the installation wizard or deployed to multiple
Microsoft Windows systems by using Microsoft Active Directory (AD).

You can use EMS to deploy FortiClient to multiple Microsoft Windows systems. For
information, see the FortiClient EMS Administration Guide.

Install FortiClient on computers

The following section describes how to install FortiClient on a computer that is running a Microsoft Windows or
Apple Mac operating system.

Microsoft Windows computer


The following instructions will guide you though the installation of FortiClient on a Microsoft Windows computer.
For more information, see the FortiClient (Windows) Release Notes.

When installing FortiClient, it is recommended to use the FortiClientOnlineInstaller file. This file will launch the
FortiClient Virus Cleaner which will scan the target system prior to installing the FortiClient application. The
FortiClientOnlineInstaller file always installs the latest version of FortiClient that is available on FDN, not the
version of FortiClient referenced in the filename or listed on the Customer Service & Support site.

To check the digital signature of FortiClient, right-click on the installation file and select Properties. In this menu
you can set file attributes, run the compatibility troubleshooter, view the digital signature and certificate, install
the certificate, set file permissions, and view file details.

Administration Guide 30
Fortinet Technologies Inc.
Provisioning Install FortiClient on computers

To install FortiClient (Windows):

1. Double-click the FortiClient executable file. The Setup Wizard launches.


When using the FortiClient Online Installer file, the FortiClient Virus Cleaner will run before launching the
Setup Wizard.
If a virus is found that prevents the infected system from downloading the new FortiClient package, see
Install FortiClient on infected systems on page 33.

2. In the Welcome to the FortiClient Setup Wizard screen, perform the following actions, and click Next:
l Click the License Agreement button, and read the license agreement. You have the option to print the EULA in
this License Agreement screen. Click Close to return to the installation wizard.
l Select the Yes, I have read and accept the license checkbox.
The Choose Setup Type screen is displayed.

3. Select one or more of the following setup types:


The Security Fabric Agent option is enabled by default, and you cannot deselect it.

l Security Fabric Agent: Endpoint telemetry, host vulnerability scanning and remediation
l Secure Remote Access: VPN components (IPsec and SSL) will be installed
l Advanced Persistent Threat (APT) Components: FortiSandbox detection and quarantine features
l Additional Security Features: AntiVirus, Web Filtering, Single Sign On, Application Firewall
4. Click Next to continue. The Destination Folder screen is displayed.
5. (Optional) Click Change to choose an alternate folder destination for installation.
6. Click Next to continue.
FortiClient will search the target system for other installed antivirus software. If found, FortiClient will display
the Conflicting Antivirus Software page. You can either exit the current installation and uninstall the
antivirus software, disable the antivirus feature of the conflicting software, or continue with the installation
with FortiClient real-time protection disabled.

This dialog box is displayed during a new installation of FortiClient and when
upgrading from an older version of FortiClient, which does not have the antivirus
feature installed.

It is recommended to uninstall the conflicting antivirus software before installing


FortiClient or enabling the antivirus real-time protection feature. Alternatively, you can
disable the antivirus feature of the conflicting software.

31 Administration Guide
Fortinet Technologies Inc.
Install FortiClient on computers Provisioning

7. Click Next to continue.


8. Click Install to begin the installation.
9. Click Finish to exit the FortiClient Setup Wizard.
On a new FortiClient installation, you do not need to reboot your system. When upgrading the FortiClient
version, you must restart your system for the configuration changes made to FortiClient to take effect. Select
Yes to restart your system now, or select No to manually restart later.
FortiClient will update signatures and components from the FortiGuard Distribution Network (FDN).

10. FortiClient will attempt to connect FortiClient Telemetry to the FortiGate.


If the FortiGate cannot be located on the network, manually connect FortiClient Telemetry. See Connect
FortiClient Telemetry manually on page 43.

If you have any questions about connecting FortiClient Telemetry to FortiGate, please
contact your network administrator.

11. To launch FortiClient, double-click the desktop shortcut icon.

Microsoft Server
You can install FortiClient on a Microsoft Windows Server 2008 R2, 2012, or 2012 R2 server. You can use the
regular FortiClient Windows image for Server installations.

Please refer to the Microsoft knowledge base for caveats on installing antivirus soft-
ware in a server environment. See the Microsoft Anti-Virus exclusion list: http://so-
cial.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virus-
exclusion-list.aspx

Mac OS X computer
The following instructions will guide you though the installation of FortiClient on a Mac OS X computer. For more
information, see the FortiClient (Mac OS X) Release Notes.

To install FortiClient (Mac OS X):

1. Double-click the FortiClient .dmg installer file. The FortiClient for Mac OS X dialog box is displayed.
2. Double-click Install. The Welcome to the FortiClient Installer dialog box is displayed.
3. (Optional) Click the lock icon in the upper-right corner to view certificate details, and click OK to close the dialog
box.

Administration Guide 32
Fortinet Technologies Inc.
Provisioning Install FortiClient on infected systems

4. Click Continue.
5. Read the Software License Agreement, and click Continue.
You have the option to print or save the Software Agreement in this window. You will be prompted to Agree
with the terms of the license agreement.

6. If you agree with the terms of the license agreement, click Agree to continue the installation.
7. Perform one of the following actions:
l Click Install to perform a standard installation on this computer, which includes the following modules: Security
Fabric Agent and Secure Remote Access.
l Click Customize to choose which FortiClient modules to install. See FortiClient setup types and modules on
page 26.
8. Depending on your system, you may be prompted to enter your system password.
9. After the installation completes successfully, Click Close to exit the installer.
FortiClient has been saved to the Applications folder.

10. Double-click the FortiClient icon to launch the application. The application console loads to your desktop. Click the
lock icon in the FortiClient console to make changes to the FortiClient configuration.

Install FortiClient on infected systems

The FortiClient installer always runs a quick antivirus scan on the target host system before proceeding with the
complete installation. If the system is clean, installation proceeds as usual.

Any virus found during this step is quarantined before installation continues.

In case a virus on an infected system prevents downloading of the new FortiClient package, use the following
process:

l Boot into “safe mode with networking” (which is required for the FortiClient installer to download the latest signature
packages from the Fortinet Distribution Network).
l Run the FortiClient installer.

33 Administration Guide
Fortinet Technologies Inc.
Install FortiClient as part of cloned disk images Provisioning

This scans the entire file system. A log file is generated in the logs sub-directory. If a virus is found, it will be
quarantined. When complete, reboot back into normal mode and run the FortiClient installer to complete the
installation.

Microsoft Windows will not allow FortiClient installation to complete in safe mode. An
error message will be generated. It is necessary to reboot back into normal mode to
complete the installation.

Install FortiClient as part of cloned disk images

If you configure computers using a cloned hard disk image, you need to remove the unique identifier from the
FortiClient application. You will encounter problems with FortiGate if you deploy multiple FortiClient applications
with the same identifier.

This section describes how to include a custom FortiClient installation in a cloned hard disk image but remove its
unique identifier. On each computer configured with the cloned hard disk image, the FortiClient application will
generate its own unique identifier the first time the computer is started.

To include a FortiClient installation in a hard disk image:

1. Install and configure the FortiClient application to suit your requirements.


You can use a standard or a customized installation package.

2. Right-click the FortiClient icon in the system tray and select Shutdown FortiClient.
3. From the folder where you expanded the FortiClientTools.zip file, run RemoveFCTID.exe. The RemoveFCTID
tool requires administrative rights.

Do not include the RemoveFCTID tool as part of a logon script.

4. Shut down the computer.

Do not reboot the Windows operating system on the computer before you create the
hard disk image. The FortiClient identifier is created before you log on.

5. Create the hard disk image and deploy it as needed.

Deploy FortiClient using Microsoft AD servers

There are multiple ways to deploy FortiClient MSI packages to endpoint devices including using Microsoft Active
Directory (AD). See Firmware images and tools on page 27.

The following instructions are based from Microsoft Windows Server 2008. If you are
using a different version of Microsoft Server, your MMC or snap-in locations may be dif-
ferent.

Administration Guide 34
Fortinet Technologies Inc.
Provisioning Deploy FortiClient using Microsoft AD user groups

Using Microsoft AD to deploy FortiClient:

1. On your domain controller, create a distribution point.


2. Log on to the server computer as an administrator.
3. Create a shared network folder where the FortiClient MSI installer file will be distributed from.
4. Set file permissions on the share to allow access to the distribution package. Copy the FortiClient MSI installer
package into this share folder.
5. Select Start > Administrative Tools > Active Directory Users and Computers.
6. After selecting your domain, right-click to select a new Organizational Unit (OU).
7. Move all the computers you wish to distribute the FortiClient software to into the newly-created OU.
8. Select Start > Administrative Tools > Group Policy Managementt. The Group Policy Management MMC Snap-in
will open. Select the OU you just created. Right-click it, Select Create a GPO in this domain, and Link it here.
Give the new GPO a name then select OK.
9. Expand the Group Policy Object container and find the GPO you just created. Right-click the GPO and select Edit.
The Group Policy Management Editor MMC Snap-in will open.
10. Expand Computer Configuration > Policies > Software Settings. Right-click Software Settings and select New >
Package.
11. Select the path of your distribution point and FortiClient installer file and then select Open. Select Assigned and
select OK. The package will then be generated.
12. If you wish to expedite the installation process, on both the server and client computers, force a GPO update.
13. The software will be installed on the client computer’s next reboot. You can also wait for the client computer to poll
the domain controller for GPO changes and install the software then.

Uninstall FortiClient using Microsoft Active Directory server:

1. On your domain controller, select Start > Administrative Tools > Group Policy Management. The Group Policy
Management MMC Snap-in will open. Expand the Group Policy Objects container and right-click the Group Policy
Object you created to install FortiClient and select Edit. The Group Policy Management Editor will open.
2. Select Computer Configuration > Policy > Software Settings > Software Installation. You will now be able to see
the package that was used to install FortiClient.
3. Right-click the package, select All Tasks > Remove. Choose Immediately uninstall the software from users and
computers, or Allow users to continue to use the software but prevent new installations. Select OK. The package
will delete.
4. If you wish to expedite the uninstall process, on both the server and client computers, force a GPO update as
shown in the previous section. The software will be uninstalled on the client computer’s next reboot. You can also
wait for the client computer to poll the domain controller for GPO changes and uninstall the software then.

Deploy FortiClient using Microsoft AD user groups

When FortiClient Telemetry connects to FortiGate, the user's AD domain name and group are both sent to
FortiGate. Administrators may configure FortiGate to deploy endpoint and/or firewall profiles based on the end
user's AD domain group.

The following steps are discussed in more details:

l Configure users and groups on AD servers


l Configure FortiAuthenticator

35 Administration Guide
Fortinet Technologies Inc.
Deploy FortiClient using Microsoft AD user groups Provisioning

l Configure FortiGate
l Connect FortiClient Telemetry to FortiGate
l Monitor FortiClient connections

Configure users and groups on AD servers


Create the user accounts and groups on the AD server. Groups may have any number of users. A user may
belong to more than one group at the same time.

Configure FortiAuthenticator
Configure FortiAuthenticator to use the AD server that you created. For more information see the
FortiAuthenticator Administration Guide in the Fortinet Document Library.

Configure FortiGate

FortiGate

Add the FortiAuthenticator or Fortinet Single Sign-On Agent (FSSO):

1. Go to User & Device > Single Sign-On.


2. Select Create New in the toolbar. The New Single Sign-On Server window opens.

3. In the type field, select Fortinet Single-Sign-On Agent.


4. Enter the information required for the agent. This includes the name, primary and secondary IP addresses, and
passwords. Select an LDAP server in the drop-down list if applicable. Select More FSSO agents to add up to three
additional agents.
5. Select OK to save the agent configuration.

Create a user group:

1. Go to User & Device > User Groups.


2. Select Create New in the toolbar. The New User Group window opens.
3. In the type field, select Fortinet Single-Sign-On (FSSO).
4. Select members from the drop-down list.
5. Select OK to save the group configuration.

Administration Guide 36
Fortinet Technologies Inc.
Provisioning Deploy FortiClient using Microsoft AD user groups

Configure the FortiClient profile:

1. Go to Security Profiles > FortiClient Profiles.


2. Select Create New in the toolbar. The New FortiClient Profile window opens.
3. Enter a profile name and optional comments.
4. In the Assign Profile To drop-down list select the FSSO user group(s).
5. Configure FortiClient configuration as required.
6. Select OK to save the new FortiClient profile.

Create any number of FortiClient profiles with different groups and different settings.
The default profile will be assigned to users who connect successfully, but have no
matching FortiClient profile.

Configure the firewall policy:

Configure the firewall policy. Ensure that Compliant with FortiClient Profile is selected in the policy.

Connect FortiClient Telemetry to FortiGate


The Microsoft Windows system on which FortiClient is installed should join the domain of the AD server
configured earlier. Users may log in with their domain user name.

Following this, endpoint connections will send the logged-in user's name and domain to the FortiGate. The
FortiGate will assign the appropriate profiles based on the configurations.

Monitor FortiClient connections


The following FortiOS CLI command lists information about connected clients. This includes domain-related
details for the client (if any).
diagnose endpoint record-list
Record #1:
IP_Address = 172.172.172.111(1)
MAC_Address = b0:ac:6f:70:e0:a0
Host MAC_Address = b0:ac:6f:70:e0:a0
MAC list = b0-ac-6f-70-e0-a0;
VDOM = root
Registration status: Forticlient installed but not registered
Online status: offline
DHCP on-net status: off-net
DHCP server: None
FCC connection handle: 6
FortiClient version: 5.1.29
AVDB version: 22.137
FortiClient app signature version: 3.0
FortiClient vulnerability scan engine version: 1.258
FortiClient feature version status: 0
FortiClient UID: BE6B76C509DB4CF3A8CB942AED2064A0 (0)
FortiClient config dirty: 1:1:1
FortiClient KA interval dirty: 0
FortiClient Full KA interval dirty: 0
FortiClient server config: d9f86534f03fbed109676ee49f6cfc09::
FortiClient config: 1

37 Administration Guide
Fortinet Technologies Inc.
Upgrade FortiClient Provisioning

FortiClient iOS server mconf:


FortiClient iOS mconf:
FortiClient iOS server ipsec_vpn mconf:
FortiClient iOS ipsec_vpn mconf:
Endpoint Profile: Documentation
Reg record pos: 0
Auth_AD_groups:
Auth_group:
Auth_user:
Host_Name:
OS_Version: Microsoft Windows 7 , 64-bit Service Pack 1 (build 7601)
Host_Description: AT/AT COMPATIBLE
Domain:
Last_Login_User: FortiClient_User_Name
Host_Model: Studio 1558
Host_Manufacturer: Dell Inc.
CPU_Model: Intel(R) Core(TM) i7 CPU Q 720 @ 1.60GHz
Memory_Size: 6144
Installed features: 55
Enabled features: 21
online records: 0; offline records: 1
status -- none: 0; uninstalled: 0; unregistered: 1; registered: 0; blocked: 0

Upgrade FortiClient

For information about supported upgrade paths for FortiClient, see the FortiClient Release Notes.

For FortiClient in managed mode, an administrator might control FortiClient upgrades for you, and you might be
unable to manually upgrade FortiClient. See also EMS and automatic upgrade of FortiClient on page 23.

During a FortiClient upgrade to 5.6.0, FortiClient installs the same features that were previously installed. If you
want to install different features, you must uninstall the previous version of FortiClient, and install FortiClient
5.6.0 with the desired features.

For FortiClient in managed mode, when an administrator deploys a FortiClient


upgrade from EMS to endpoints running a Windows operating system, an Upgrade
Schedule dialog box is displayed in advance on the endpoint to let endpoint users
schedule the upgrade and mandatory endpoint reboot. If no FortiClient is installed on
the endpoint, no reboot is required for the installation, and no Upgrade Schedule dia-
log box is displayed. The endpoint user can postpone the reboot for a maximum of 24
hours. Before the mandatory reboot occurs, a FortiClient dialog box is displayed with a
15 minute warning.

To upgrade FortiClient:

1. Go to Help > About.


2. Beside the version, click the Update Available: <version number>.

To upgrade FortiClient from FortiTray:

1. Select the Windows System Tray.


2. Right-click the FortiTray icon, and select Update Available: <version number>.

Administration Guide 38
Fortinet Technologies Inc.
FortiClient Telemetry

This section applies only to FortiClient in managed mode.

In managed mode, FortiClient uses a gateway IP address to connect FortiClient Telemetry to FortiGate or EMS.

When your administrator has configured FortiGate for network access control (NAC), you must connect
FortiClient Telemetry to FortiGate to access the network, and you must also maintain a compliant status to retain
access to the network. See also Compliance on page 43.

For information about creating Telemetry gateway IP lists, see Telemetry Gateway IP Lists on page 23.

Telemetry data

When FortiClient Telemetry is connected to FortiGate and/or EMS, the following data about the endpoint and its
workload is collected and sent to FortiGate and/or EMS:

l Hardware information, such as MAC addresses


l Software information, such as the version of operating system on the endpoint
l Identification information, such as user name, user picture, and host name
l Vulnerability information reported by the vulnerability scanning module
When FortiClient Telemetry is connected to FortiGate, the Security Fabric uses the information to understand the
endpoint and its workload to better protect it.

How FortiClient locates FortiGate or EMS

FortiClient uses the following methods in the following order to locate FortiGate or EMS for Telemetry
connection:

l Manual entering of the gateway IP address, which means that the endpoint user enters the gateway IP address of
FortiGate or EMS into FortiClient console. See Connect FortiClient Telemetry manually on page 43.
l Telemetry Gateway IP list
FortiClient Telemetry searches for IP addresses in its subnet in the Gateway IP list. It connects to the
FortiGate in the list that is also in the same subnet as the host system.

If FortiClient cannot find any FortiGates in its subnet, it will attempt to connect to the first reachable FortiGate
in the list, starting from the top. The order of the list is maintained as it was configured in the Gateway IP list.

l Default gateway IP address


The default gateway IP address is specified on the FortiClient endpoint and is used to automatically connect to
FortiGate. This method does not support connection to EMS.

39 Administration Guide
Fortinet Technologies Inc.
Connect FortiClient Telemetry after installation FortiClient Telemetry

FortiClient obtains the default gateway IP address from the operating system on the
endpoint device. The default gateway IP address of the endpoint device should be the
IP address for the FortiGate interface with Telemetry enabled.

l VPN
l Remembered gateway IP list
You can configure FortiClient to remember gateway IP addresses when you connect Telemetry to FortiGate or
EMS. Later FortiClient can use the remembered IP addresses to automatically connect Telemetry to FortiGate
or EMS.

FortiClient uses the same process to connect Telemetry to FortiGate or EMS after the
FortiClient endpoint reboots, rejoins the network, or encounters a network change.

Connect FortiClient Telemetry after installation

After FortiClient software installation completes on an endpoint, FortiClient automatically launches and searches
for FortiGate or EMS to connect FortiClient Telemetry. See also How FortiClient locates FortiGate or EMS on
page 39.

To connect FortiClient Telemetry after installation:

1. When FortiClient locates a FortiGate or EMS, the FortiGate Detected or Enterprise Management Server
(EMS) Detected dialog box is displayed.
Following is an example of the FortiGate Detected dialog box:

Following is an example of the Enterprise Management Server (EMS) Detected dialog box:

Administration Guide 40
Fortinet Technologies Inc.
FortiClient Telemetry Remember gateway IP addresses

The following options are available:

Endpoint User Displays the name of the endpoint user that is logged into the endpoint device.

Logged into Domain Displays the name of domain if applicable.

Hostname Displays the name of the endpoint device.

Profile Details Available only when EMS is detected. Click to display details of the profile that
FortiClient will receive after you accept connection to EMS. See also EMS and
endpoint profiles on page 20.

Remember this FortiGate Available only when FortiGate is detected. Select for FortiClient to remember
the gateway IP address of the FortiGate to which you are connecting
Telemetry. See also Remember gateway IP addresses on page 41.

Remember this Server Available only when EMS is detected. Select for FortiClient to remember the
gateway IP address of the EMS to which you are connecting Telemetry. See
also Remember gateway IP addresses on page 41.

2. Click Accept to connect FortiClient Telemetry to the identified FortiGate or EMS.


Alternately, you can click Cancel to launch FortiClient software without connecting FortiClient Telemetry.
FortiClient launches in standalone mode. You can manually connect FortiClient Telemetry later.

After FortiClient Telemetry is connected to FortiGate or EMS, FortiClient receives compliance rules from
FortiGate and/or a profile from EMS. A system tray bubble message will be displayed once the download is
complete.

Remember gateway IP addresses

When you confirm Telemetry connection to FortiGate or EMS, you can instruct FortiClient to remember the
gateway IP address of the FortiGate or EMS. If a connection key is required, FortiClient remembers the
connection password too. FortiClient can remember up to 20 gateway IP addresses for FortiGate and EMS.

The remembered IP addresses display in the Local Gateway IP list. FortiClient can use the remembered gateway
IP addresses to automatically connect to FortiGate or EMS.

See also Forget gateway IP addresses on page 51.

41 Administration Guide
Fortinet Technologies Inc.
Remember gateway IP addresses FortiClient Telemetry

To remember IP addresses for FortiGate or EMS:

1. In the FortiGate or EMS Detected dialog box, select the Remember this FortiGate or Remember this EMS (not
shown) check box.

2. Click Accept.
FortiClient remembers the IP address and password, if applicable.

Administration Guide 42
Fortinet Technologies Inc.
Compliance

The Compliance tab displays whether FortiClient Telemetry is connected to FortiGate or EMS. You can use the
Compliance tab to manually connect FortiClient Telemetry to FortiGate or EMS and to disconnect FortiClient
Telemetry from FortiGate or EMS.

When FortiClient Telemetry is connected to FortiGate, and endpoint control is enabled by the FortiGate
administrator, the Compliance tab displays whether FortiClient and the endpoint device are compliant with the
FortiGate compliance rules and provides information about maintaining a compliant endpoint.

Enable compliance

For FortiClient in standalone mode, the Compliance tab is visible, but not used.

For FortiClient in managed mode, an administrator enables and configures the Compliance tab by using
FortiOS.

Connect FortiClient Telemetry manually


FortiClient Telemetry must be connected to FortiGate to use the compliance feature. Alternately, FortiClient
Telemetry can be connected to EMS, but you cannot use the compliance feature when the FortiClient Telemetry
is connected to EMS. See also Telemetry connection options on page 21.

If FortiClient Telemetry was not automatically connected after FortiClient installation, you can manually connect
FortiClient Telemetry to FortiGate or EMS.

To manually connect FortiClient Telemetry to FortiGate:

1. Go to the Compliance tab.


2. In the FortiGate or EMS box, type the IP address or FQDN of FortiGate, and click Connect.
FortiClient Telemetry connects to FortiGate, and FortiClient receives a profile of compliance rules from
FortiGate.

To manually connect FortiClient Telemetry to EMS:

1. Go to the Compliance tab.


2. In the FortiGate or EMS box, type the IP address or FQDN of EMS, and click Connect.
FortiClient Telemetry connects to EMS, and FortiClient receives a profile of configuration information from
EMS.

To manually connect FortiClient Telemetry to FortiGate and EMS:

1. Go to the Compliance tab.


2. In the FortiGate or EMS box, type the IP address or FQDN of FortiGate, and click Connect.

43 Administration Guide
Fortinet Technologies Inc.
View compliance status Compliance

FortiClient Telemetry establishes the primary connection to FortiGate, and FortiClient receives a profile of
compliance rules from FortiGate. FortiClient Telemetry also automatically establishes a secondary
connection to EMS, and FortiClient receives a profile of configuration information from EMS.

Disconnect FortiClient Telemetry


You must disconnect FortiClient Telemetry from FortiGate or EMS to connect to another FortiGate or EMS or to
disable and uninstall FortiClient.

To disconnect FortiClient Telemetry:

1. On the Compliance tab, click the Click to Disconnect link. A confirmation dialog box is displayed.

2. Click Yes to disconnect FortiClient Telemetry from FortiGate or EMS.

After you disconnect FortiClient Telemetry from FortiGate or EMS, FortiClient Tele-
metry automatically connects with the FortiGate or EMS when you re-join the network.
See also Forget gateway IP addresses on page 51.

View compliance status

Information available on the Compliance tab depends on whether FortiClient is running in standalone mode or
managed mode. In managed mode, the information displayed on the Compliance tab also depends on whether
FortiClient Telemetry is connected to FortiGate or EMS.

Standalone mode
When FortiClient is running in standalone mode, the Compliance tab is visible, but not used. The Compliance
tab is labeled Not Participating.

If you want to use the compliance feature, you must connect FortiClient Telemetry to FortiGate.

Administration Guide 44
Fortinet Technologies Inc.
Compliance View compliance status

The Compliance tab displays the following information:

FortiGate or EMS Type the IP address or URL of FortiGate or EMS, and click Connect to con-
nect FortiClient Telemetry.

Show IP List that Click the icon to display the list of gateway IP addresses. You can click an
this FortiClient is IP address in the list to populate the FortiGate IP box.
sending Tele-
metry data to

Unlocked icon View the unlocked icon to learn that the settings in FortiClient console are
unlocked, and endpoint users can change them.

Connect Click to connect to FortiGate or EMS after populating the FortiGate or


EMS box with an IP address.

Managed mode with EMS


When FortiClient Telemetry is connected to EMS, compliance is not enforced. The Compliance tab is labeled
Connected to EMS.

The Compliance tab displays the following information:

45 Administration Guide
Fortinet Technologies Inc.
View compliance status Compliance

Compliance View the icon to learn that the compliance enforcement feature requires
information FortiClient Telemetry connection to FortiGate.

EMS information View the name and IP address of the EMS to which FortiClient Telemetry is
connected. You can disconnect by clicking the Click to Disconnect link.

View the name of the user logged into the endpoint. See also Access end-
point details on page 48.

Click the Show IP List That This FortiClient is Sending Telemetry Data To
link to view the gateway IP list being used for FortiClient Telemetry con-
nection.

FortiClient Tele- View how often FortiClient Telemetry communicates with FortiClient EMS
metry information and when the next communication will occur. FortiClient Telemetry com-
municates information between FortiClient and EMS.

Locked icon View the locked icon to learn that the settings in FortiClient console are
locked by EMS, and endpoint users cannot change them.

Managed mode with FortiGate


When FortiClient Telemetry is connected to FortiGate, and the FortiGate administrator has disabled compliance,
network access compliance (NAC) is not enforced. The Compliance tab displays Disabled, and you are not
required to maintain a compliant status to access the network.

When FortiClient Telemetry is connected to FortiGate, and the FortiGate administrator has enabled compliance,
NAC is enforced, and you might be required to maintain a compliant status to access the network, depending on
how FortiGate enforces NAC.

If FortiGate is configured to block network access for endpoints with not-compliant status, the following
requirements must be met to maintain a compliant status and network access:

l FortiClient must be installed on endpoint devices.


l FortiClient Telemetry must be connected to FortiGate for the endpoint to receive a profile from FortiGate that
contains the compliance rules.
l FortiClient software and endpoint must be configured as specified by the FortiGate compliance rules.

When FortiGate is integrated with EMS, the endpoint might also receive a profile from
EMS that contains FortiClient configuration information.

If FortiGate is configured to warn endpoints about not-compliant status, you can acknowledge the status and
access the network without fixing the issues that are causing a not-compliant status.

The following dialog box shows an endpoint with a compliant status.

Administration Guide 46
Fortinet Technologies Inc.
Compliance View compliance status

The Compliance tab displays the following information:

Compliance View the icon to learn that endpoint is in compliance with FortiGate com-
status pliance rules. See also Fix not compliant (blocked) on page 53 and Fix not
compliant (warning) on page 57.

FortiGate inform- View the name and IP address of the FortiGate to which FortiClient Tele-
ation metry is connected. You can disconnect by clicking the Click to Disconnect
link.

User information View the name of the user logged into the endpoint. See also Access end-
point details on page 48.

Click the Show Compliance Rules from <FortiGate> link to display the
compliance rules for FortiGate.

Click the Show IP List That This FortiClient is Sending Telemetry Data To
link to view the gateway IP list being used for FortiClient Telemetry con-
nection.

FortiClient Tele- View how often FortiClient Telemetry communicates with FortiGate and
metry information when the next communication will occur. FortiClient Telemetry com-
municates information between FortiClient and FortiGate, sending status
information to FortiGate and receiving network-access rules from
FortiGate. When FortiGate is integrated with EMS, notification information
is also sent to EMS. EMS might also send endpoint profiles of configuration
information to FortiClient.

Monitoring View the name of EMS, if the endpoint is monitored by EMS.

Locked icon View the locked icon to learn that the settings in FortiClient console are
locked by EMS, and you cannot change them.

Unlocked icon View the unlocked icon to learn that the settings in FortiClient console are
unlocked, and endpoint users can change them.

47 Administration Guide
Fortinet Technologies Inc.
Access endpoint details Compliance

Access endpoint details

When FortiClient is in managed mode, you can access details on the Compliance tab about the logged in user,
the endpoint, and FortiGate or EMS.

View user details


You can view details about the logged in user when FortiClient is compliant with FortiGate rules. You cannot view
user details when FortiClient is not compliant with FortiGate rules.

To view user details:

1. On the Compliance tab, view the name of the user beside the View Details link.
2. Click the View Details link to view the following information:

Online/offline Displays whether the endpoint is online or offline. A green icon indicates the
endpoint is online.

Off-Net/On-Net Displays whether the endpoint is on-net or off-net. A green On-Net icon
indicates the endpoint is on-net. A gray off-net icon indicates the endpoint is
off-net. See also On-net / off-net status with FortiGate and EMS on page 51.

Username Displays the name of the user logged into FortiClient on the endpoint.

Hostname Displays the name of the endpoint device on which FortiClient is installed.

Domain Displays the name of the domain to which the endpoint is connected, if
applicable.

Retrieve user picture from Displays where FortiClient is automatically seeking to retrieve a picture for the
user, such as from Windows Login / AD, Linkedin Account, and so on.
Alternately you can specify a picture by clicking the Specify link. If FortiClient
cannot locate a picture, no picture is used.

3. Click the X to close the dialog box.

Specify user picture


When FortiClient is in managed mode, FortiClient automatically attempts to retrieve a picture from Windows or
Active Directory (AD). If a picture is defined for Windows or AD to use, FortiClient retrieves the picture.

Alternately, you can direct FortiClient to retrieve the picture from one of the following cloud applications, if you
have an account: 

l Linkedin account
l Google account
l Salesforce account
You can also manually specify a picture for FortiClient to use.

Administration Guide 48
Fortinet Technologies Inc.
Compliance Access endpoint details

A user picture is sometimes called an avatar. When an administrator configures


FortiClient to send logs to FortiAnalyzer or FortiManager, the avatar is used by
FortiAnalyzer or FortiManager to visually identify the FortiClient endpoint user. See
also Send logs to FortiAnalyzer or FortiManager on page 115.

To retrieve a user picture from a cloud application:

1. On the Compliance tab, click the View Details link.


2. Click one of the following links:
l Linkedin Account
l Google Account
l Salesforce Account
The following window is displayed.

3. Click a browser, and log into your account.


The following page is displayed in the browser:

4. Click Allow to grant FortiClient permission to use your information.


5. Click Save.

To specify a user picture:

1. On the Compliance tab, click the View Details link.


2. Click the Specify link.
3. Perform one of the following actions:
l Click Take a picture to take a picture. This option requires a web camera to be available on the endpoint.
l Click Browse to select an image file.
4. Click Save.

49 Administration Guide
Fortinet Technologies Inc.
Access endpoint details Compliance

View FortiGate compliance rules


When FortiClient Telemetry is connected to FortiGate, you can view the compliance rules from FortiGate. The
compliance rules communicate the configuration required for FortiClient console and the endpoint to remain
compliant.

When the endpoint has a not-compliant status, an exclamation mark indicates which compliance rules are not
met. See View unmet compliance rules on page 54.

To view compliance rules:

1. On the Compliance tab, click the Show Compliance Rules From <FortiGate> link.
The compliance rules from FortiGate are displayed.

2. Click Close to return to the Compliance tab.

View gateway IP lists


You can view the following gateway IP lists in FortiClient:

l Telemetry Gateway List


The Telemetry Gateway list is created by administrators. Endpoint users cannot change the list. For more
information, see Telemetry Gateway IP Lists on page 23.

l Remembered FortiGate List


The Remembered FortiGate list is created by endpoint users. It is the list of remembered gateway
IP addresses for FortiGate and EMS. When FortiClient Telemetry is connected for the first time, you can
instruct FortiClient to remember the gateway IP address for FortiGate or EMS. See Remember gateway IP
addresses on page 41.

The gateway IP lists are used to automatically connect FortiClient Telemetry to FortiGate or EMS.

To view gateway IP lists:

1. On the Compliance tab, click the Show IP List That This FortiClient is Sending Telemetry Data to link.
The Gateway IP List and the Local Gateway IP List are displayed.

Administration Guide 50
Fortinet Technologies Inc.
Compliance Access endpoint details

2. Click X to close the list.

Forget gateway IP addresses


When you instruct FortiClient to forget an IP address for FortiGate or EMS, FortiClient Telemetry will not use the
IP address to automatically connect to FortiGate or EMS when re-joining the network.

To forget FortiGate or EMS:

1. On the Compliance tab, click the Show IP List That This FortiClient is Sending Telemetry Data to link.
2. In the Remembered FortiGate List, click Forget beside the gateway IP addresses that you no longer want
FortiClient to remember.
3. Click X to close the list.

On-net / off-net status with FortiGate and EMS


Endpoints must connect FortiClient Telemetry to FortiGate or EMS for FortiClient console to display an on-net,
off-net, or offline status.

The following rules identify when FortiGate, EMS, or FortiClient determine the status:

l When endpoints connect FortiClient Telemetry to FortiGate or EMS, FortiGate or EMS determines whether the
endpoint has an on-net or off-net status.
l When endpoints cannot connect FortiClient Telemetry to FortiGate or EMS, FortiClient determines the on-net or
off-net status, based on the on-net subnets.

When FortiGate and EMS are integrated, the primary FortiClient Telemetry con-
nection is to FortiGate, and FortiGate calculates the status.

FortiGate
The version of FortiClient and FortiOS do not affect the on-net, off-net, or online status. The following examples
show how FortiGate determines the status for the endpoint:

l The endpoint has a status of on-net when the endpoint is behind a FortiGate, and the endpoint receives option 224
with the FortiGate serial number. In this case, FortiGate is the DHCP server, and FortiGate checks that the serial

51 Administration Guide
Fortinet Technologies Inc.
Access endpoint details Compliance

number matches its own serial number.


l The endpoint has a status of on-net when the endpoint is inside one of the on-net subnets defined by FortiGate.
You can configure on-net subnets in the FortiClient profile by using the FortiOS CLI and the set on-net addr
command. 
l The endpoint has a status of off-net when the endpoint is outside of the FortiGate network, such as connected
through an external interface or hasn't received option 224 with the FortiGate serial number.
l The endpoint has a status of offline when the endpoint cannot connect FortiClient Telemetry to FortiGate, and the
endpoint is outside one of the on-net networks, even when option 224 and the FortiGate serial number are
configured.
l The endpoint has a status of offline on-net when the endpoint is inside one of the on-net networks, but cannot
connect FortiClient Telemetry to FortiGate.

For FortiClient to be in an on-net network, the IP address of FortiGate or EMS should


be routed via the IP address from the on-net network.

EMS
The version of FortiClient and EMS do not affect the on-net, off-net, or online status. The following table shows
how various configurations determine the status for the endpoint when FortiClient Telemetry is connected to
EMS:

EMS DHCP On-net / On-net Subnet Option 224 Serial Endpoint Status
Off-net Setting Number

Off No N/A On-net

On No Option not configured Off-net

On No Option configured On-net

Off or on Yes and match Configured or not On-net

Off or on Yes and do not match Configured or not Off-net

The following examples show how EMS determines the status for the endpoint:

l The endpoint has a status of offline when the endpoint cannot connect FortiClient Telemetry to EMS, and the
endpoint is outside one of the on-net networks.
l The endpoint has a status of offline on-net when the endpoint cannot connect FortiClient Telemetry to EMS, but
the endpoint is inside one of the on-net networks.

On-net subnets have higher priority over other settings. In addition, EMS doesn't com-
pare the Option 224 serial number. As long as the endpoint has the serial number,
EMS assumes that the endpoint is behind a FortiGate and is on-net.

Administration Guide 52
Fortinet Technologies Inc.
Compliance Fix not compliant (blocked)

Fix not compliant (blocked)

When an endpoint is not compliant with FortiGate compliance rules, and FortiGate is configured with a non-
compliance action of block, the endpoint is blocked from accessing the network, and the Compliance tab displays
a not-compliant status:

The following information is displayed on the Compliance tab:

Compliance View the icon to learn that the endpoint is not-compliant with FortiGate
status compliance rules and might be blocked from accessing the network. You
have some time to fix the not-compliant issues before FortiGate blocks net-
work access. See also Compliance and vulnerability scanning on page 107.

Compliance rules View the compliance rules by clicking the Show Compliance Rules from
<FortiGate> link and see which rules are unmet.

IP list for FortiCli- Click the Show IP List That This FortiClient is Sending Telemetry Data To
ent Telemetry link to view the gateway IP list being used for FortiClient Telemetry con-
nection.

Fix non-com- Click the Fix Non-Compliant Settings button to try and return FortiClient to
pliance settings a compliant status. This option is not available when FortiClient settings
are locked by EMS.

You can take the following steps to fix the not-compliant status and return the endpoint to a compliant status:

l View which compliance rules are unmet. See View unmet compliance rules on page 54.
l Update the FortiClient configuration, if the option is available. See Fix Not-Compliant Settings on page 55.
l Fix detected vulnerabilities by using the automatic patching features. See Automatically fix detected vulnerabilities
on page 109.
l Manually install software patches, if required. See Manually fix detected vulnerabilities on page 111.
l Manually fix system compliance:
l Create or modify the requested registry

53 Administration Guide
Fortinet Technologies Inc.
Fix not compliant (blocked) Compliance

l Create or modify the requested files or folders


l Start the requested processes

FortiClient must be installed with the correct setup to adhere to the compliance rules.
See also FortiClient setup types and modules on page 26.

View unmet compliance rules


When an endpoint has a not-compliant (blocked) status, you can view the compliance rules from FortiGate and
identify which ones are causing the not-compliant status.

To view not-compliant rules:

1. On the Compliance tab, click the Show Compliance Rules From <FortiGate> link.
The compliance rules from FortiGate are displayed, and the exclamation mark indicates an unmet
compliance rule.

In the following example, the compliance rule states that Vulnerability Scan should be enabled, and
Endpoint should not have any High or Above Vulnerabilities. The exclamation mark indicates that
FortiClient or the endpoint are failing to meet the compliance rule.

2. Click the exclamation mark to view information about what is not compliant.
A pop-up bubble message is displayed that identifies what part of the FortiClient configuration is not-
compliant, for example, vulnerabilities were found for the Windows operating system.

Administration Guide 54
Fortinet Technologies Inc.
Compliance Fix not compliant (blocked)

3. Click Close to return to the Compliance tab.

Fix Not-Compliant Settings


When the endpoint has a not-compliant status, and settings are unlocked, the Fix Non-Compliant Settings
option is displayed on the Compliance tab. You can click the option to try and return FortiClient to a status of
compliant.

When FortiClient has a not-compliant status, and the Fix Non-Compliant Settings link
is not displayed, endpoint users should contact their system administrator for help with
configuring the endpoint and FortiClient console to remain compliant with FortiGate.

To fix not-compliant settings:

1. On the Compliance tab, click Fix Non-Compliant Settings.


FortiClient attempts to return the endpoint to a compliant status by updating FortiClient settings to match the
compliance rules from FortiGate, updating the FortiClient signatures, and patching detected vulnerabilities.

The not-compliant settings are fixed, and the endpoint returns to a status of compliant.

55 Administration Guide
Fortinet Technologies Inc.
Fix not compliant (blocked) Compliance

Patch software vulnerabilities


Endpoints can become not-compliant when vulnerabilities are detected for software that is installed on the
endpoint, but software patches for the vulnerabilities are not yet installed. The vulnerabilities must be patched for
FortiClient to return to a status of compliant. See Automatically fix detected vulnerabilities on page 109 and
Manually fix detected vulnerabilities on page 111.

Examples of blocked network access


The following table provides examples of when endpoints are blocked from accessing the network and how you
can regain access.

Symptom Cause of Blocked Access Solution

No network access and no FortiClient is not installed, and FortiGate displays a portal in a web
FortiClient software installed FortiClient Telemetry is not con- browser, and the portal includes a
nected. link to the FortiClient installer. Down-
load and install FortiClient software,
and connect FortiClient Telemetry to
FortiGate. See Connect FortiClient
Telemetry after installation on page
40

No network access and a Not FortiClient Telemetry is not con- In FortiClient console, connect
Participating status on the Com- nected FortiClient Telemetry to FortiGate.
pliance tab in FortiClient console See Connect FortiClient Telemetry
manually on page 43.

No network access and Not Com- Endpoint software or FortiClient View unmet compliance rules and
pliant status on the Compliance configuration does not meet com- configure FortiClient to meet them.
tab in FortiClient console pliance rules. In some cases, you might need to
contact your system administrator
for help. See View unmet com-
pliance rules on page 54.

The Vulnerability Scan tab Fix detected vulnerabilities. See


shows detected vulnerabilities Automatically fix detected vul-
nerabilities on page 109. You may
also need to manually fix detected
vulnerabilities. See Manually fix
detected vulnerabilities on page
111.

No network access and Com- FortiGate is configured to warn Click the I Agree button in the web
pliant status on the Compliance endpoint users about network portal browser displayed by
tab in FortiClient console access, and you haven't clicked FortiGate. See Fix not compliant
the I Agree button. (warning) on page 57.

Administration Guide 56
Fortinet Technologies Inc.
Compliance Fix not compliant (warning)

Fix not compliant (warning)

When an endpoint is not compliant with FortiGate compliance rules, and FortiGate is configured with a non-
compliance action of to warn, the Compliance tab displays the following information icon with not-compliant
status:

The following information is displayed on the Compliance tab:

Compliance View the icon to learn that the endpoint is warned about the not-compliant
status status with FortiGate compliance rules. Access to the network is blocked
until the endpoint user acknowledges the warning by either clicking the Pro-
ceed Anyway button in FortiClient console or clicking the I Agree button in
the FortiGate web portal.

Compliance rules View the compliance rules by clicking the Show Compliance Rules from
<FortiGate> link and see which compliance rules are unmet.

IP list for FortiCli- Click the Show IP List That This FortiClient is Sending Telemetry Data To
ent Telemetry link to view the gateway IP list being used for FortiClient Telemetry con-
nection.

Fix Non-Com- Click the Fix Non-Compliant Settings button to try and return FortiClient to
pliant Settings a compliant status. This option is not available when FortiClient settings
are locked by EMS.

Proceed Anyway Click Proceed Anyway to acknowledge the not-compliant status and
access the network without fixing all reported issues.

FortiGate also displays a warning portal that includes an I Agree button at the bottom of the page:

57 Administration Guide
Fortinet Technologies Inc.
Fix not compliant (warning) Compliance

When FortiGate warns endpoints about a not-compliant status, you can choose one of the following actions:

l Fix the not-compliant issues and return the endpoint to a status of complaint, and then access the network with a
compliant status.
l Acknowledge the not-compliant status and access the network by clicking either Proceed Anyway in FortiClient
console or clicking I Understand in the warning portal.
If you choose to access the network without fixing the not-compliant issues, you must acknowledge the warning
before you can access the network.

You only need to click either Proceed Anyway in the FortiClient console or I Under-
stand in the warning portal. You do not need to click both buttons. After you click one
of the buttons, the software communicate with each other to relay the acknow-
ledgment. For example, if you click Proceed Anyway in the FortiClient console,
FortiClient communicates the acknowledgment to FortiGate, and you are not required
to click I Understand in the warning portal.

To proceed anyway:

1. On the Compliance tab, click Proceed Anyway.


The not-compliant issues remain unfixed, but you are granted network access. Because the not-compliant

Administration Guide 58
Fortinet Technologies Inc.
Compliance Quarantined endpoints

issue remains unfixed, the icon changes to Not-Compliant.

Quarantined endpoints

In certain situations, an administrator might quarantine an endpoint. When an endpoint is quarantined, the
following page is displayed, and the endpoint user loses network access. Contact your system administrator for
assistance.

59 Administration Guide
Fortinet Technologies Inc.
Sandbox Detection

FortiClient supports integration with FortiSandbox. When configured, FortiSandbox automatically scan files that
are executed on the endpoint or executed from removable media that are attached to the endpoint or mapped
network drives. FortiSandbox can also automatically scan files that are downloaded from the Internet or email to
the endpoint. Endpoint users can also manually submit files to FortiSandbox for scanning.

Access to files can be blocked until the FortiSandbox scanning result is returned.

When scanning is complete, FortiSandbox can quarantine infected files or alert and notify the endpoint user of
infected files without quarantining the files.

As FortiSandbox receives files for scanning from various sources, it collects and generates AV signatures for such
samples. FortiClient periodically downloads the latest AV signatures from FortiSandbox, and applies them locally
to all real-time and on-demand AntiVirus scanning.

Enable Sandbox Detection

The Sandbox Detection tab is displayed in FortiClient console when FortiClient is


installed with Advanced Persistent Threat (APT) Components selected.

You can enable FortiClient to work with FortiSandbox, if you have a FortiSandbox unit.

To enable Sandbox Detection:

1. On the Sandbox Detection tab, click the settings icon.


2. If the Administrative privileges are required to change settings. Press Elevate to obtain these privileges.
message is displayed, click Elevate.
The settings page is displayed.

3. Select the Enable FortiSandbox Detection & Analysis check box.


4. In the Address box, type the IP address for FortiSandbox, and click Test to ensure that the IP address is valid.

Administration Guide 60
Fortinet Technologies Inc.
Sandbox Detection Disable Sandbox Detection

If the IP address is valid, a confirmation dialog box is displayed.

5. Click OK to close the confirmation dialog box.


6. Click OK to save the changes.
For information about configuring FortiSandbox, see Configure Sandbox Detection on page 62.

FortiSandbox Detection is enabled.

Disable Sandbox Detection

To disable Sandbox Detection:

1. On the Sandbox Detection tab, click the settings icon.


The settings page is displayed.

2. Clear the Enable FortiSandbox Detection & Analysis check box, and click OK.
FortiSandbox Detection is disabled.

61 Administration Guide
Fortinet Technologies Inc.
Configure Sandbox Detection Sandbox Detection

Configure Sandbox Detection

You can configure what files are automatically submitted from the endpoint to FortiSandbox for scanning. You
can also configure whether FortiSandbox quarantines infected files and whether to exclude any files or folders
from FortiSandbox scanning.

Configure submission, access, and remediation

To configure submission, access, and remediation:

1. On the Sandbox Detection tab, click the Settings icon.


The settings page is displayed.

2. Set the following options, and click OK:

Wait for Select to wait for FortiSandbox analysis results before files can be accessed.
FortiSandbox Clear the check box to allow file access before FortiSandbox results are
results known.
before
allowing file
access

Timeout Specify the timeout duration in seconds. After the time expires, file access is
seconds allowed, even if FortiSandbox hasn't returned results and if the Deny Access
to file if Sandbox unreachable option is disabled.

When set to 0, the downloaded file is always released and the pop-up window
is never displayed. See also Use the pop-up window on page 69.

Deny Access Select to deny access to files when FortiClient cannot reach FortiSandbox for
to file if file analysis. Clear the check box to allow file access if the FortiSandbox unit
Sandbox is cannot be reached for scanning. See also Examples of FortiSandbox
unreachable availability and scanning results on page 63.

Administration Guide 62
Fortinet Technologies Inc.
Sandbox Detection Configure Sandbox Detection

FortiSandbox Submission
Options

All files Select to submit all files that are executed on removable media, such as
executed USB drives, to FortiSandbox for analysis. Clear the check box to disable this
from feature.
removable
media

All files Select to submit all files that are executed on mapped network drives to
executed FortiSandbox for analysis. Clear the check box to disable this feature.
from mapped
network
drives

All web Select to submit all web downloads on the endpoint to FortiSandbox for
downloads analysis. Clear the check box to disable this feature.

All email Select to submit all email downloads on the endpoint to FortiSandbox for
downloads analysis. Clear the check box to disable this feature.

Remediation Options

Quarantine Select to quarantine infected files.


infected files

Alert & Notify Select to alert and notify the endpoint user about infected files, but not
only quarantine infected files.

Examples of FortiSandbox availability and scanning results


The following table identifies how the FortiSandbox settings and availability affect file scanning results when the
Sandbox <timeout> setting is non-zero.

Deny Access FortiSandbox FortiSandbox FortiSandbox Final FortiSandbox Message


to File if Reachable? Timed Out? Action
Unreachable

Disabled Yes No Based on FortiSandbox ver- Scanning verdict is dis-


dict played

Disabled Yes Yes Release file Scanning timed out

Disabled No N/A Release file Scanning skipped -


FortiSandbox unreachable

Enabled Yes No Based on FortiSandbox ver- Scanning verdict is dis-


dict played

Enabled Yes Yes Block file Scanning timed out -


access denied

63 Administration Guide
Fortinet Technologies Inc.
Configure Sandbox Detection Sandbox Detection

Deny Access FortiSandbox FortiSandbox FortiSandbox Final FortiSandbox Message


to File if Reachable? Timed Out? Action
Unreachable

Enabled No N/A Block file Scanning skipped -


FortiSandbox unreachable
- access denied

Configure exceptions

To configure exceptions:

1. On the Sandbox Detection tab, click the Settings icon.


The settings page is displayed.

2. Set the following options, and click OK:

Exceptions

Exclude files Select to exclude files from trusted sources from FortiSandbox analysis. Click
from trusted the i icon to view the list of trusted sources.. You cannot change the list of
sources trusted sources.

Exempt Select to exempt specified files and/or folders from FortiSandbox analysis.
specified files You must also create the exclusion list.
/ folders

3. If you selected the Exempt specified files /folders, you must create the exclusion list. See Manage the Sandbox
Detection exclusion list on page 64.

Manage the Sandbox Detection exclusion list


You can add files and folders to the exclusion list for FortiSandbox. FortiSandbox will not scan the identified files
or folders when the Exempt specified files / folders check box is selected. See Configure exceptions on page 64.

You can also remove files and folders from the exclusion list.

To add files or folders to the exclusion list:

1. On the Sandbox Detection tab, click the Settings icon.


The Settings page is displayed.

2. Click the Exclusion List tab.


The exclusion list is displayed.

3. Click the + icon, and select either Add file or Add folder.
A Browse dialog box is displayed.

4. Locate and select the file or folder, and click Open.

Administration Guide 64
Fortinet Technologies Inc.
Sandbox Detection Scan with FortiSandbox on demand

The file or folder is added to the exclusion list, and will not be scanned by FortiSandbox.

5. Click OK to save the changes.

To remove files or folders from the exclusion list:

1. On the Sandbox Detection tab, click the Settings icon.


The Settings page is displayed.

2. Click the Exclusion List tab.


The exclusion list is displayed.

3. Click one or more items in the exclusion list.


A check mark is displayed beside the selected items.

4. Click the - icon.


The selected items are removed from the exclusion list.

5. Click OK to save the changes.

Scan with FortiSandbox on demand

You can send files to FortiSandbox for scanning on demand when FortiSandbox is enabled and online.

To scan with FortiSandbox on demand: 

1. Right-click a file and select Scan with FortiSandbox from the menu.

View Sandbox Detection results

FortiSandbox scan results are displayed on the Sandbox Detection tab and in a pop-up window.

When a virus is detected, FortiClient creates a notification alert. See View notifications on page 70.

65 Administration Guide
Fortinet Technologies Inc.
View Sandbox Detection results Sandbox Detection

View FortiSandbox scan results

To view FortiSandbox scan results: 

1. Go to the Sandbox Detection tab.

The following information is displayed:

Files Submitted Displays the number of files submitted to FortiSandbox for scanning.

Malware Detected Displays the number of detected malware files. Click the <number> link beside
Malware Detected to view details about the files.

Clean Displays the number of files determined clean after FortiSandbox scanning.

Pending analysis Displays the number of files waiting for FortiSandbox scanning.

View quarantined files


You can view files quarantined by FortiSandbox. You can also restore and delete quarantined files as well as
submit quarantined files for analysis again.

You cannot restore and delete quarantined files when FortiClient is in managed mode.

To view quarantined files: 

1. Go to the Sandbox Detection tab.


2. Beside Malware detected, click the <number> link to view quarantined files.
The list of files is displayed.

Administration Guide 66
Fortinet Technologies Inc.
Sandbox Detection View Sandbox Detection results

The following information is displayed:

Summary

File Name Lists the names of the quarantined files.

Date Quarantined Lists the date and time that the files were quarantined by FortiSandbox.

Refresh Click to refresh the information.

Details Select a file from the list to view detailed information.

File Name Name of the selected quarantined file.

Original Location Location of the file before FortiSandbox scanning.

Quarantined Date and time that the file was quarantined by FortiSandbox.

Submitted Displays Not Submitted when the selected file has not been submitted to
FortiGuard for analysis by clicking the Submit button. Displays Submitted
after clicking the Submit button.

Status Status of the file, such as Quarantined.

Virus Name Name of the virus detected by FortiSandbox.

Quarantined File Name of the file after it was quarantined.


Name

Submit Click submit for FortiGuard analysis.

Restore Click to remove the selected file from quarantine.

Delete Click to delete the selected file from the device.

3. Select a file from the list to view detailed information about the file.
4. Click Close.

67 Administration Guide
Fortinet Technologies Inc.
View Sandbox Detection results Sandbox Detection

Submit quarantined files for scanning


You can submit quarantined files to FortiSandbox for scanning.

To submit quarantined files for scanning: 

1. Go to the Sandbox Detection tab.


2. Beside Zero-day malware, click the <number> link to view quarantined files.
The list of files is displayed.

3. Select the file, and click Submit.

Restore quarantined files


Endpoint users can only restore quarantined files with FortiClient in standalone mode. When you restore a
quarantined file, you can choose whether to add the file to the exclusion list.

To restore quarantined files: 

1. Go to the Sandbox Detection tab.


2. Beside Zero-day malware, click the <number> link to view quarantined files.
The list of files is displayed.

3. Select the file, and click Restore.


A confirmation dialog box is displayed.

4. Click Yes to restore the file and add it to the exclusion list or No to restore the file without adding it to the
exclusion list.
5. If the Administrative privileges are required to change settings. Press Elevate to obtain these privileges.
message is displayed, click Elevate.
The file is restored.

Delete quarantined files


Endpoint users can only restore quarantined files with FortiClient in standalone mode.

To delete quarantined files: 

1. Go to the Sandbox Detection tab.


2. Beside Zero-day malware, click the <number> link to view quarantined files.
The list of files is displayed.

3. Select the file, and click Delete.


A confirmation dialog box is displayed.

Administration Guide 68
Fortinet Technologies Inc.
Sandbox Detection View Sandbox Detection results

4. Click Yes.
The file is deleted.

Use the pop-up window

The settings for the Wait for FortiSandbox scan result before allowing file access
and Timeout seconds options affect when the pop-up window is displayed. See also
Configure Sandbox Detection on page 62.

As FortiSandbox scans and releases files, a pop-up window is displayed to inform you. You can view the recent
scans by clicking the View recent scans option.

When FortiSandbox detects a virus and quarantines a file, the Virus Alert window is displayed.

You can use the Virus Alert window to view information about the recently scanned files by clicking the View
recently detected virus(es) option.

69 Administration Guide
Fortinet Technologies Inc.
View notifications Sandbox Detection

With the information expanded, you can select a quarantined file and click the Restore button to restore the file.

Endpoint users can only restore quarantined files with FortiClient in standalone mode.

View notifications

Select the notifications icon in the FortiClient console to view notifications. When a virus has been detected, the
notifications icon will change from gray to yellow or red.

Event notifications include:

l Sandbox Detection events, including detected malware


l Antivirus events, including scheduled scans and detected malware.
l Endpoint Control events, including configuration updates received from FortiGate or EMS.
l WebFilter events, including blocked web site access attempts.
l System events, including signature and engine updates and software upgrades.
Select the Threat Detected link to view quarantined files, site violations, and real-time protection events.

For FortiClient in standalone mode, you can also clear the entries by clicking the Clear button. This option is not
available for FortiClient in managed mode.

To view notifications:

1. In FortiClient Console, click the Notifications icon (an exclamation mark) in the top-right corner.
The list of notifications is displayed.

Administration Guide 70
Fortinet Technologies Inc.
Sandbox Detection View notifications

2. Click Close to close the list.

71 Administration Guide
Fortinet Technologies Inc.
Antivirus

FortiClient includes an antivirus component to scan system files, executable files, removable media, dynamic-link
library (DLL) files, and drivers. FortiClient will also scan for and remove rootkits. In FortiClient, file-based
malware, malicious websites, phishing, and spam URL protection are part of the antivirus component.

Enable realtime protection

The AntiVirus tab is displayed in FortiClient console when FortiClient is installed with
Additional Security Features and AntiVirus selected.

For FortiClient in managed mode, when FortiClient Telemetry is connected to FortiGate or EMS, an
administrator might enable, configure, and lock realtime protection. You can enable realtime protection if the
FortiClient console is not locked by EMS, and realtime protection is excluded from FortiGate compliance rules.

To enable realtime protection:

1. On the AntiVirus tab, click the Settings icon.


The realtime protection settings page opens.

2. Select the Scan files as they are downloaded or copied to my system check box.
3. Click OK.
If you have another antivirus program installed on your system, FortiClient displays a warning that your system
may lock up due to conflicts between different antivirus products. See Third-party antivirus software and realtime
protection on page 72.

Third-party antivirus software and realtime protection


For FortiClient in standalone mode, it is recommended to remove third-party antivirus products before installing
FortiClient or enabling the antivirus real-time protection feature. Otherwise you might see the following
conflicting antivirus warning when you enable realtime protection:

In managed mode, when FortiClient Telemetry is connected to FortiGate, the FortiGate compliance rules might
allow third-party antivirus software to be used as part of the compliance rules. In this case, realtime protection in
FortiClient console should be disabled.

Administration Guide 72
Fortinet Technologies Inc.
Antivirus Disable realtime protection

Disable realtime protection

When FortiClient Telemetry is connected to FortiGate or EMS, you might be unable to disable realtime
protection. You can disable realtime protection when the FortiClient console is not locked by EMS, and realtime
protection is excluded from FortiGate compliance rules.

To disable realtime protection:

1. On the AntiVirus tab, click the Settings icon.


The realtime protection settings page opens.

2. Clear the Scan files as they are downloaded or copied to my system check box, and click OK.

Configure AntiVirus

You can block access and communication channels, update the antivirus database, schedule antivirus scanning,
add files or folders to exclusion lists, and configure additional antivirus options.

Block access and communication channels


The Web Security/Web Filter module must be installed before you can enable these features.

To block access and communication channels:

1. On the AntiVirus tab, select the settings icon to open the real-time protection settings page.
2. Select the Block all access to malicious websites check box.
3. Perform one of the following actions:
l Select the Use Web Filter exclusion list check box if you want to use the exclusion list for the Web
Security/Web Filter tab. See Manage the Web Filter/Web Security exclusion list on page 86.
l Clear the Use Web Filter exclusion list check box to use the exclusion list for the Antivirus tab. You must
define an exclusion list. See Manage the AntiVirus exclusion list on page 76.
4. Select the Block known communication channels used by attackers check box.
5. Click OK.

73 Administration Guide
Fortinet Technologies Inc.
Configure AntiVirus Antivirus

Update Antivirus database


FortiClient informs you if the AntiVirus database is out of date. FortiClient automatically updates signatures.
However, if you see that the signatures are outdated, you can click the Update now link. See also View
FortiClient engine and signature versions on page 81.

To update the AntiVirus database: 

1. On the AntiVirus tab, click the Update Now link.

The AntiVirus database is updated.

Schedule antivirus scanning

If you configure monthly scans to occur on the 31st of each month, the scan will occur
on the first day of the month for those months with less than 31 days.

To schedule antivirus scanning:

1. On the AntiVirus tab, click the Settings icon beside Realtime Protection.
2. Click the Scheduled Scan tab.

Administration Guide 74
Fortinet Technologies Inc.
Antivirus Configure AntiVirus

3. Configure the following settings:

Schedule Type Select Daily, Weekly, or Monthly from the drop-down list.

Scan On For Weekly scheduled scans, select the day of the week in the drop-down
list.
For Monthly scheduled scans, select the day of the month in the drop-down
list.

Start Select the time of day to start the scan. The time format uses a 24-hour
clock.

Scan Type Select the scan type:


l Quick system scan runs the rootkit detection engine to detect and
remove rootkits. It only scans the following items for
threats: executable files, DLLs, and drivers that are currently
running.
l Full system scan runs the rootkit detection engine to detect and
remove rootkits. It then performs a full system scan of all files,
executable files, DLLs, and drivers.
l Custom scan runs the rootkit detection engine to detect and
remove rootkits. It allows you to select a specific file folder on your
local hard disk drive (HDD) to scan for threats.
You cannot schedule a removable media scan. A full scan will scan
removable media.

Disable Scheduled Scan Select to disable scheduled scan.

4. Click OK to save the setting and return to the main FortiClient console page.

75 Administration Guide
Fortinet Technologies Inc.
Configure AntiVirus Antivirus

Manage the AntiVirus exclusion list

To add files or folders to the AntiVirus exclusion list:

1. On the AntiVirus tab, click the Settings icon.


2. Click the Exclusion List tab.
3. Click the + icon, and select either Add file or Add folder.

A Browse dialog box is displayed.

4. Locate and select the file or folder, and click Open.


The file or folder is added to the exclusion list, and will not be scanned by the AntiVirus engine.

5. Click OK to save the changes.

To remove files or folders from the AntiVirus exclusion list:

1. On the AntiVirus tab, click the Settings icon.


The Settings page is displayed.

2. Click the Exclusion List tab.


The exclusion list is displayed.

3. Click one or more items in the exclusion list.


A check mark is displayed beside the selected items.

4. Click the - icon.


The selected items are removed from the exclusion list.

5. Click OK to save the changes.

Configure additional Antivirus options


You can configure additional settings for the Antivirus tab by going to File > Settings in the FortiClient console.
See Antivirus options on page 117.

Administration Guide 76
Fortinet Technologies Inc.
Antivirus Scan with AntiVirus on demand

Scan with AntiVirus on demand

You can perform on-demand antivirus scanning. You can scan specific files or folders, and you can submit a file
for analysis.

Scan now

To perform on-demand antivirus scanning:

1. On the AntiVirus tab, click the Scan Now button.


2. Use the drop-menu to select Custom Scan, Full Scan, Quick Scan, or Removable media Scan.

Custom Scan Runs the rootkit detection engine to detect and remove rootkits. It allows you
to select a specific file folder on your local hard disk drive (HDD) to scan for
threats.

Full Scan Runs the rootkit detection engine to detect and remove rootkits. Then it looks
for threats by performing a full system scan on all files, executable files, DLLs,
and drivers.

Quick Scan Runs the rootkit detection engine to detect and remove rootkits. It looks for
threats by scanning executable files, DLLs, and drivers that are currently
running.

Removable Media Scan Runs the rootkit detection engine to detect and remove rootkits. It scans all
connected removable media, such as USB drives.

Scan files or folders

To scan files or folders:

1. Right-click the file or folder and select Scan with FortiClient AntiVirus from the menu.

77 Administration Guide
Fortinet Technologies Inc.
View AntiVirus scan results Antivirus

Submit files to FortiGuard for analysis


You can send up to 5 files a day to FortiGuard for analysis.

You do not receive feedback for files submitted for analysis. The FortiGuard team is
able to create signatures for any files that are submitted for analysis and determined
to be malicious.

To submit files for analysis:

1. On your workstation, right-click a file or executable, and select Submit for analysis from the menu.
A dialog box is displayed that identifies the number of files you have submitted.

2. Confirm the location of the file that you want to submit, and click the Submit button.

View AntiVirus scan results

You can view quarantined threats, site violations, alerts, and realtime protection events when FortiClient is in
standalone or managed mode.

View quarantined threats

To view quarantined threats:

1. On the AntiVirus tab, click the X Threats Detected link


2. Click the Quarantined Files tab.
In this page you can view, restore, or delete the quarantined file. You can also view the original file location,
the virus name, submit the suspicious file to FortiGuard, and view logs.

Administration Guide 78
Fortinet Technologies Inc.
Antivirus View AntiVirus scan results

This page displays the following information:

Summary

File Name Lists the names of the quarantined files.

Date Lists the date and time that the files were quarantined by FortiClient.
Quarantined

Refresh Click to refresh the information.

Details Select a file from the list to view detailed information.

File Name Name of the selected quarantined file.

Original Location of the file before antivirus scanning.


Location

Quarantined Date and time that the file was quarantined.

Submitted Displays Not Submitted when the selected file has not been submitted to
antivirus software for scanning by clicking the Submit button. Displays
Submitted after clicking the Submit button.

Status Status of the file, such as Quarantined.

Virus Name Name of the virus detected by antivirus software.

Quarantined File Name of the file after it was quarantined.


Name

Log File Location of the log data, if known.


Location

Quarantined By Click to refresh the list.

Submit Click to submit the quarantined file to FortiGuard. Press and hold the control
key to submit multiple entries.

Logs Click to view the log files for antivirus scanning.

Submit Click to submit the quarantined file for scanning.

Restore Click to restore the quarantined file. A confirmation dialog box will be
displayed. You can select Yes to add this file/folder to the exclusion list, No
to restore the file, or Cancel to exit the operation. Press and hold the control
key to restore multiple entries.

Delete Click to delete the quarantined file. A confirmation dialog box will be
displayed. Select Yes to continue. Press and hold the control key to delete
multiple entries.

Close Click to close the page and return to the FortiClient console.

3. Click Close.

79 Administration Guide
Fortinet Technologies Inc.
View AntiVirus scan results Antivirus

View site violations


On the Site Violations page, you can view site violations and submit sites to be re-categorized.

To view site violations:

1. On the AntiVirus tab, click the X Threats Detected link.


2. Click the Site Violations tab.

This Site Violations page displays the following options:

Website Displays the name of the website.

Time Displays the date and time of the site violation.

Refresh Select to refresh the site violation list.

Details Select an entry in the list to view site violation details, including the website name,
category, date and time, user name, and status.
Select the category link to request to have the site category re-evaluated.

3. Click Close.

View alerts
When FortiClient antivirus detects a virus while attempting to download a file via a web-browser, a warning is
displayed.

Select View recently detected virus(es) to collapse the virus list. Right-click a file in the list to access the
following context menu:

Delete Select to delete a quarantined or restored file.

Quarantine Select to quarantine a restored file.

Administration Guide 80
Fortinet Technologies Inc.
Antivirus View FortiClient engine and signature versions

Restore Select to restore a quarantined file.

Submit Suspicious File Select to submit a file to FortiGuard as a suspicious file.

Submit as False Positive Select to submit a quarantined file to FortiGuard as a false positive.

Add to Exclusion List Select to add a restored file to the exclusion list. Any files in the exclusion
list will not be scanned.

Open File Location Select to open the file location on your workstation.

You must select Alert when viruses are detected under AntiVirus Options on the Set-
tings page to receive the virus alert dialog box when attempting to download a virus in
a web browser. If Alert when viruses are detected is disabled, the virus alert dialog
box is not displayed when you attempt to download a virus in a web browser.

View realtime protection events


When an antivirus realtime protection event has occurred, you can select to view these events in the FortiClient
console.

To view realtime protection events:

1. From the AntiVirus tab, select  X Threats Detected.


2. Select Real-time Protection events (x) in the left pane.
The realtime_scan.log will open in the default viewer.

Example log output:


Realtime scan result:
time: 09/29/15 10:46:07, virus found: EICAR_TEST_FILE, action: Quarantined,
c:\users\user\desktop\eicar.com
time: 09/29/15 10:46:07, virus found: EICAR_TEST_FILE, action: Quarantined,
c:\users\user\desktop\eicar.com.txt
time: 09/29/15 10:46:07, virus found: EICAR_TEST_FILE, action: Quarantined,
c:\users\user\desktop\eicarcom2.zip
time: 09/29/15 10:46:08, virus found: EICAR_TEST_FILE, action: Quarantined,
c:\users\user\desktop\eicar_com.zip
time: 09/29/15 10:46:39, virus found: EICAR_TEST_FILE, action: Quarantined,
c:\users\user\appdata\local\temp\3g_bl8y9.com.part
time: 03/18/15 10:48:13, virus found: EICAR_TEST_FILE, action: Quarantined,
c:\users\user\appdata\local\temp\xntwh8q1.zip.part

View FortiClient engine and signature versions

You can view the current FortiClient version, engine, and signature information.

81 Administration Guide
Fortinet Technologies Inc.
View FortiClient engine and signature versions Antivirus

When EMS manages FortiClient, you can select to use a FortiManager device for
FortiClient software and signature updates. When configuring the profile by using
EMS, select Use FortiManager for client software/signature updates to enable the
feature, and enter the IP address of your FortiManager device. You can select to fail-
over to FDN when FortiManager is not available.

To view FortiClient engine and signature versions:

1. Go to Help > About.

2. Hover the mouse over the Status field to see the date and time that FortiClient last updated the selected item.
3. Click Close.

Administration Guide 82
Fortinet Technologies Inc.
Web Security/Web Filter

Web Security/Web Filter allows you to block, allow, warn, and monitor web traffic based on URL category or
custom URL filters. URL categorization is handled by the FortiGuard Distribution Network (FDN). You can create
a custom URL filter exclusion list that overrides the FDN category.

When FortiClient is in standalone mode, the Web Security tab is displayed. When
FortiClient is in managed mode, and FortiClient Telemetry is connected to FortiGate
or EMS, the Web Security tab changes to the Web Filter tab.

Web Security

The Web Security tab is displayed in FortiClient console when FortiClient is installed
with Additional Security Features and Web Filtering selected, and FortiClient is run-
ning in standalone mode.

Enable Web Security


You can enable Web Security when FortiClient is running in standalone mode.

To enable Web Security:

1. On the Web Security tab, click the Enable link in the FortiClient console.

The following options are available:

Enable/Disable Select to enable or disable Web Security.

83 Administration Guide
Fortinet Technologies Inc.
Web Filter Web Security/Web Filter

X Violations (In the Last 7 Select to view Web Security log entries of the violations that have occurred
Days) in the last 7 days.

Protection by Site Category Displays the settings as well as a Settings icon. Click the Settings icon to
configure the site categories, exclusion list, and settings. You can also view
violations.

Disable Web Security


You can disable Web Security when FortiClient is running in standalone mode.

To disable Web Security:

1. On the Web Security tab, toggle the Disable link in the FortiClient console.

Web Filter

The Web Filter tab is displayed in FortiClient console when FortiClient is installed with
Additional Security Features and Web Filtering selected, and FortiClient Telemetry is
connected to FortiGate or EMS.

Enable Web Filter


For FortiClient in managed mode, when FortiClient Telemetry is connected to a FortiGate or EMS, an
administrator might enable, configure, and lock the web filtering settings.

You can enable web filtering when the FortiClient console is not locked by EMS, and web filtering is excluded
from FortiGate compliance rules.

To enable web filtering:

1. On the Web Filter tab, click the Enable link in the FortiClient console.

The following options are available:

Administration Guide 84
Fortinet Technologies Inc.
Web Security/Web Filter Configure web filtering

Enable/Disable Select to enable or disable Web Filter.

X Violations (In the Last 7 Select to view Web Filter log entries of the violations that have occurred in
Days) the last 7 days.

Web Filter Profile Displays the Web Filter profile settings as well as a Settings icon. Click the
Settings icon to configure the site categories, exclusion list, and settings.
You can also view violations.

Disable Web Filter


When FortiClient Telemetry is connected to FortiGate or EMS, you might be unable to disable web filtering.

You can disable web filtering if the FortiClient console is not locked by EMS and web filtering is excluded from
FortiGate compliance rules.

To disable web filtering:

1. On the Web Filter tab, click the Disable link.

Configure web filtering

You can configure web filtering settings, profiles, and exclusion lists.

When FortiClient Telemetry is connected to FortiGate or EMS, you might be unable to configure web filtering.

Configure site categories


You can configure FortiClient to allow, block, warn, or monitor web traffic based on site categories.

To configure site categories:

1. On the Web Security/Web Filter tab, click the Settings icon.


2. Click a site category.
3. Click the Action icon, and select an action in the drop-down menu.

85 Administration Guide
Fortinet Technologies Inc.
Configure web filtering Web Security/Web Filter

The following actions are available:

Allow Set the category or sub-category to Allow to allow access.

Block Set the category or sub-category to Block to block access. The user will receive a Web Page
Blocked message in the web browser.

Warn Set the category or sub-category to Warn but allow access. The user will receive a Web
Page Warning message in the web browser. The user can select to proceed or go back to
the previous web page.

Monitor Set the category or sub-category to Monitor to allow access. The site will be logged.

You can select to enable or disable Site Categories in the Web Security/Web Filter
settings page. When site categories are disabled, FortiClient is protected by the
exclusion list.

4. Click OK.

Manage the Web Filter/Web Security exclusion list


You can add websites to the exclusion list and set the permission to allow, block, monitor, or exempt.

For more information on URL formats, type, and action, see the FortiOS Handbook in
the Fortinet Document Library.

To add items to the exclusion list:

1. On the Web Security/Web Filter tab, click the Settings icon.


2. Click the Exclusion List tab.
3. Click the + icon to add URLs to the exclusion list.
If the website is part of a blocked category, an allow permission in the Exclusion List would allow the user to
access the specific URL.

Administration Guide 86
Fortinet Technologies Inc.
Web Security/Web Filter Configure web filtering

4. Configure the following settings:

Exclusion List Select to exclude URLs that are explicitly blocked or allowed. Use the add
icon to add URLs and the delete icon to delete URLs from the list. Select a
URL, and select the edit icon to edit the selection.

URL Enter a URL or IP address.

Type Select one of the following pattern types:


l Simple
l Wildcard
l Regular Expression

Actions Select one of the following actions:


l Block: Block access to the web site regardless of the URL category
or sub-category action.
l Allow: Allow access to the web site regardless of the URL category
or sub-category action.
l Monitor: Allow access to the web site regardless of the URL
category or sub-category action. A log message will be generated
each time a matching traffic session is established.

5. Click OK.

To edit items in the exclusion list:

1. On the Web Security/Web Filter tab, click the Settings icon.


The Settings page is displayed.

2. Click the Exclusion List tab.


The exclusion list is displayed.

3. Click an item, and click the Edit icon.


The Edit dialog box is displayed.

4. Edit the settings, and click OK to save the changes.

87 Administration Guide
Fortinet Technologies Inc.
Configure web filtering Web Security/Web Filter

To remove items from the exclusion list:

1. On the Web Security/Web Filter tab, click the Settings icon.


The Settings page is displayed.

2. Click the Exclusion List tab.


The exclusion list is displayed.

3. Click one or more items in the exclusion list.


A check mark is displayed beside the selected items.

4. Click the - icon.


The selected items are removed from the exclusion list.

5. Click OK to save the changes.

Configure settings

To configure settings:

1. On the Web Security/Web Filter tab, click the Settings icon


2. Click the Settings tab.

3. Configure the following settings:

Enable Site Categories Select to enable Site Categories. When site categories are disabled,
FortiClient is protected by the exclusion list.

Log all URLs Select to log all URLs.

Identify user initiated web Select to identify web browsing that is user initiated.
browsing

4. Click OK.

Administration Guide 88
Fortinet Technologies Inc.
Web Security/Web Filter View violations

View violations

You can view web-filtering violations in FortiClient console.

To view violations:

1. On the Web Security/Web Filter tab, click the Settings icon.


Alternately, you can click the X Violations (In the Last 7 Days) link.

2. Click the Violations tab.

The following information is displayed.

Website The website name or IP address.

Category The website sub-category.

Time The date and time that the website was accessed.

User The name of the user generating the traffic. Hover the mouse cursor over the column to
view the complete entry in the pop-up bubble message.

3. Click Close.

89 Administration Guide
Fortinet Technologies Inc.
Application Firewall

This section applies only to FortiClient in managed mode.

FortiClient can recognize the traffic generated by a large number of applications. You can create rules to block or
allow traffic per category or application.

Enable Application Firewall

The Application Firewall tab is displayed in FortiClient console when FortiClient is


installed with Additional Security Features and Application Firewall selected.

For FortiClient in managed mode, when FortiClient Telemetry is connected to FortiGate or EMS, an
administrator might enable, configure, and lock the application firewall settings. You can enable Application
Firewall when the settings are not locked by EMS.

To enable Application Firewall:

1. On the Application Firewall tab, click the Enable link.

2. If prompted, click Elevate.

Application Firewall is enabled.

Administration Guide 90
Fortinet Technologies Inc.
Application Firewall Disable Application Firewall

Disable Application Firewall

When FortiClient Telemetry is connected to FortiGate, you might be unable to disable application firewall. You
can disable Application Firewall when the settings are not locked by EMS.

To disable Application Firewall:

1. On the Application Firewall tab, click the Disable link.

Application Firewall is disabled.

View blocked applications

To view blocked applications:

1. On the Application Firewall tab, click the <number> Applications Blocked (In the Last 7 Days) link.
A page of all blocked applications blocked applications is displayed.

View application firewall profiles

You can view the application firewall profile when FortiClient Telemetry is connected to EMS.

To view the application firewall profile:

1. On the Application Firewall tab, click Show all.

91 Administration Guide
Fortinet Technologies Inc.
View application firewall profiles Application Firewall

Administration Guide 92
Fortinet Technologies Inc.
Remote Access

FortiClient supports both IPsec and SSL VPN connections to your network for remote access. Administrators can
use EMS to provision VPN configurations for FortiClient console, and endpoint users can configure new
VPN connections by using FortiClient console.

Enable remote access

The Remote Access tab is displayed in FortiClient console when FortiClient is


installed with Secure Remote Access selected.

When FortiClient is in managed mode and managed by EMS, FortiClient might include VPN connection
configurations for you to use.

Configure VPN connections

You can configure SSL VPN connections and IPsec VPN connections by using FortiClient console.

Configure SSL VPN connections

To configure SSL VPN connections:

1. On the Remote Access tab, click the Configure VPN link, or use the drop-down menu in the FortiClient console.

93 Administration Guide
Fortinet Technologies Inc.
Configure VPN connections Remote Access

2. Select SSL-VPN , then configure the following settings:

Connection Name Enter a name for the connection.

Description Enter a description for the connection. (optional)

Remote Gateway Enter the IP address/hostname of the remote gateway. Multiple remote
gateways can be configured by separating each entry with a semicolon. If
one gateway is not available, the VPN will connect to the next configured
gateway.

Customize port Select to change the port. The default port is 443.

Authentication Select to Prompt on login or Save login. The Disable option is available
when Client Certificate is enabled.

Username If you selected Save login, type the username to save for the login.

Client Certificate Select to enable client certificates, then select either Prompt on connect or
the certificate from the drop-down list.

Do not Warn Invalid Server Select if you do not want to be warned if the server presents an invalid
Certificate certificate.

+ Select the add icon to add a new connection.

- Select a connection and then select the delete icon to delete a connection.

3. Click Apply to save the VPN connection, and then click Close to return to the Remote Access screen.

Configure IPsec VPN connections

To configure IPsec VPN connections:

1. On the Remote Access tab, click the Configure VPN link, or use the drop-down menu in the FortiClient console.

2. Select IPsec VPN , then configure the following settings:

Administration Guide 94
Fortinet Technologies Inc.
Remote Access Configure VPN connections

Connection Name Enter a name for the connection.

Description Enter a description for the connection. (optional)

Remote Gateway Enter the IP address/hostname of the remote gateway. Multiple


remote gateways can be configured by separating each entry
with a semicolon. If one gateway is not available, the VPN will
connect to the next configured gateway.

Authentication Method Select either X.509 Certificate or Pre-shared Key in the drop-
down menu. When you select x.509 Certificate, select either
Prompt on connect or a certificate from the list.

Authentication (XAuth) Select Prompt on login, Save login, or Disable.

Username If you selected Save login, type the username to save for the
login.

Advanced Settings Configure VPN settings, Phase 1, and Phase 2 settings.

VPN Settings

Mode Select one of the following:


l Main: In Main mode, the phase 1 parameters are
exchanged in multiple rounds with encrypted
authentication information.
l Aggressive: In Aggressive mode, the phase 1
parameters are exchanged in a single message with
authentication information that is not encrypted.
Although Main mode is more secure, you must select
Aggressive mode if there is more than one dialup phase 1
configuration for the interface IP address, and the remote VPN
peer or client is authenticated using an identifier (local ID).

Options Select one of the following:


l Mode Config: IKE Mode Config can configure host IP
address, Domain, DNS and WINS addresses.
l Manually Set: Manual key configuration. If one of the
VPN devices is manually keyed, the other VPN device
must also be manually keyed with the identical
authentication and encryption keys. Enter the DNS
server IP, assign IP address, and subnet values. Select
the check box to enable split tunneling.
l DHCP over IPsec: DHCP over IPsec can assign an IP
address, Domain, DNS and WINS addresses. Select the
check box to enable split tunneling.

95 Administration Guide
Fortinet Technologies Inc.
Configure VPN connections Remote Access

Phase 1 Select the encryption and authentication algorithms used to


generate keys for protecting negotiations and add encryption
and authentication algorithms as required.
You need to select a minimum of one and a maximum of two
combinations. The remote peer or client must be configured to
use at least one of the proposals that you define.

IKE Proposal Select symmetric-key algorithms (encryption) and message


digests (authentication) from the drop-down lists.

DH Group Select one or more Diffie-Hellman groups from DH group 1, 2,


5, 14, 15, 16, 17, 18, 19 and 20. At least one of the DH Group
settings on the remote peer or client must match one the
selections on the FortiGate unit. Failure to match one or more
DH groups will result in failed negotiations.

Key Life Enter the time (in seconds) that must pass before the IKE
encryption key expires. When the key expires, a new key is
generated without interrupting service. The key life can be from
120 to 172,800 seconds.

Local ID Enter the Local ID (optional). This Local ID value must match
the peer ID value given for the remote VPN peer’s Peer Options.

Dead Peer Select this check box to reestablish VPN tunnels on idle
Detection connections and clean up dead IKE peers if required.

NAT Traversal Select the check box if a NAT device exists between the client
and the local FortiGate unit. The client and the local FortiGate
unit must have the same NAT traversal setting (both selected or
both cleared) to connect reliably.

Phase 2 Select the encryption and authentication algorithms that will be


proposed to the remote VPN peer. You can specify up to two
proposals. To establish a VPN connection, at least one of the
proposals that you specify must match configuration on the
remote peer.

IKE Proposal Select symmetric-key algorithms (encryption) and message


digests (authentication) from the drop-down lists.

Key Life The Key Life setting sets a limit on the length of time that a
phase 2 key can be used. The default units are seconds.
Alternatively, you can set a limit on the number of kilobytes (KB)
of processed data, or both. If you select both, the key expires
when either the time has passed or the number of KB have been
processed. When the phase 2 key expires, a new key is
generated without interrupting service.

Enable Replay Replay detection enables the unit to check all IPsec packets to
Detection see if they have been received before. If any encrypted packets
arrive out of order, the unit discards them.

Administration Guide 96
Fortinet Technologies Inc.
Remote Access Connect VPNs

Enable Perfect Select the check box to enable Perfect forward secrecy (PFS).
Forward Secrecy PFS forces a new Diffie-Hellman exchange when the tunnel
(PFS) starts and whenever the phase 2 key life expires, causing a new
key to be generated each time.

DH Group Select one Diffie-Hellman (DH) group (1, 2, 5, 14, 15, 16, 17,
18, 19 or 20). This must match the DH Group that the remote
peer or dialup client uses.

+ Select the add icon to add a new connection.

- Select a connection and then select the delete icon to delete a


connection.

3. Click Apply to save the VPN connection, and then click Close to return to the Remote Access screen.

Connect VPNs

You can connect VPN tunnels to FortiGate.

Connect SSL and IPsec VPNs


Depending on the FortiClient configuration, you might also have permission to edit an existing VPN connection
and delete an existing VPN connection.

Microsoft Internet Explorer's SSL and TLS settings should be the same as those on the
FortiGate.

To connect to VPNs:

1. On the Remote Access tab, select the VPN connection from the drop-down menu.
Optionally, you can click the system tray, right-click the icon and select a VPN configuration to connect.

Provisioned VPN connections will be listed under Corporate VPN . Locally configured
VPN connections will be listed under Personal VPN .

97 Administration Guide
Fortinet Technologies Inc.
Connect VPNs Remote Access

2. Type your username and password.


3. If a certificate is required, select a certificate.
If the VPN tunnel was configured to require a certificate, you must select a certificate. If no certificate is
required, the option is hidden in FortiClient console.

Your administrator might have configure FortiClient to automatically locate a certificate for you.

4. Click the Connect button.


When connected, FortiClient console displays the connection status, duration, and other relevant
information. You can now browse your remote network. Click the Disconnect button when you are ready to
terminate the VPN session.

Connect VPNs with FortiToken Mobile


VPN connections to FortiGate might require network authentication that uses a token from FortiToken Mobile,
which is an application that runs on Android or iOS devices. For more information about FortiToken Mobile, see
the Document Library.

FortiGate can be configured to let you push a token from FortiClient console to FortiGate to complete network
authentication when connecting VPNs. When configured, you can push the token by clicking the FTM Push
button in FortiClient console. The push token is sent to FortiGate, and you receive a notification of the
authentication request on your device that has FortiToken Mobile installed. On your device, you can tap the
notification and follow the instructions to allow or deny the authentication request.

If a push token is not configured, you must type a token code from FortiToken Mobile into FortiClient console
when connecting VPNs.

You must have available the device with FortiToken Mobile installed to complete this procedure.

To connect VPNs with FortiToken Mobile by using PUSH notifications:

1. On the Remote Access tab, select the VPN connection from the drop-down menu.
2. Enter your username and password, and click the Connect button.
The Click on 'FTM Push' or enter token code box is displayed.

Administration Guide 98
Fortinet Technologies Inc.
Remote Access Connect VPNs

3. Click FTM Push.


Your device with FortiToken Mobile installed receives a notification.

4. On your device with FortiToken Mobile installed, tap the notification and follow the instructions to allow the
authentication request and complete network authentication without typing the token code.
You can also deny the authentication request, or do nothing and let the notification request expire.

To connect VPNs with FortiToken Mobile by typing token codes:

1. On the Remote Access tab, select the VPN connection from the drop-down menu.
2. Enter your username and password, and click the Connect button.
The Enter token code box is displayed.

3. Type the token code from your FortiToken Mobile, and click OK to complete network authentication.

Save password, auto connect, and always up


When an administrator uses EMS to configure a profile for FortiClient, the administrator can configure an IPsec or
SSL VPN connection to FortiGate and enable the following features:

l Save Password: Allows the user to save the VPN connection password in the console.
l Auto Connect: When FortiClient is launched, the VPN connection will automatically connect.
l Always Up (Keep Alive): When selected, the VPN connection is always up, even when no data is being processed.
If the connection fails, keep alive packets sent to the FortiGate will sense when the VPN connection is available and
re-connect VPN.
After FortiClient Telemetry connects to FortiGate when FortiGate and EMS are integrated, FortiClient receives a
profile from EMS that contains IPsec and/or SSL VPN connections to FortiGate. The following example shows an
SSL VPN connection named PM-SSL.

99 Administration Guide
Fortinet Technologies Inc.
Connect VPNs Remote Access

If the VPN connection fails, a pop-up window is displayed to inform you about the connection failure while
FortiClient continues trying to reconnect VPN in the background.

Depending on the VPN configuration, the pop-up window might include a Cancel button. If you click the Cancel
button, FortiClient stops trying to reconnect VPN.

Access to certificates in Windows Certificates Stores


On a Windows system, you can view certificates by using an MMC (Microsoft Management Console) snap-in
called Certificates console. For more information, see the following Microsoft TechNet articles:

l Add the Certificates Snap-in to an MMC available at https://technet.microsoft.com/en-us/library/cc754431


l Display Certificate Stores available at https://technet.microsoft.com/en-us/library/cc725751
The Certificates console offers the following snap-in options:

l My user account
l Service account
l Computer account
You can select one or more snap-in options, and they will display in the Certificates console. FortiClient typically
searches for certificates in one of the following accounts:

l User account – contains certificates for the logged on user


l Computer account – contains certificates for the local computer
If the certificate is in the local computer account, FortiClient can typically access the certificate. A certificate from
the local computer account may be used to establish an IPsec VPN connection, regardless of whether the logged
on user is an administrator or a non-administrator. For SSL VPN, the administrator needs to grant permission to
users who are non-administrators to access the private key of the certificate. Otherwise, non-administrators
cannot use the certificate in the computer account to establish SSL VPN connections. This restriction does not
apply to any user with administrator level permission. IPsec VPN does not have this exception.

If the certificate is in the user account, FortiClient can access the certificate, if the user has already successfully
logged in, and the same user imported the certificate. In all other scenarios, FortiClient might be unable to
access the certificate.

The following table summarizes when FortiClient can (yes) and cannot (no) locate the certificate for users who
are logged into the endpoint and connecting VPN tunnels:

Administration Guide 100


Fortinet Technologies Inc.
Remote Access Advanced features (Microsoft Windows)

Account Connect VPN by Using FortiClient GUI or FortiTray

Logged in user with admin Logged in user with non-admin


privilege privilege

User account Yes, certificate found, if the cer- Yes, certificate found, if the cer-
tificate was imported by the same tificate was imported by the same
administrator user user

Computer account Yes, certificate found IPsec VPN: Yes, certificate found

SSL VPN: Yes, certificate found, if


access permission granted to
private key

SmartCard Yes, certificate found, if same user Yes, certificate found, if same user
that was logged on at the time card that was logged on at the time card
was inserted was inserted

When a user imports a certificate into the user account, a different logged on user can-
not access the same certificate.

A certificate on a smart card is imported into the user account of the logged on user.
As a result, the same conditions apply as with the user account.

The following table summarizes when FortiClient can (yes) and cannot (no) locate the certificate before a user
logs into the endpoint:

Account Unknown User Before Logging Into Windows

User account No certificate found

Computer account Yes certificate found

SmartCard No certificate found

Advanced features (Microsoft Windows)

When deploying a custom FortiClient XML configuration, use the advanced FortiClient
Profile options in EMS to ensure the FortiClient profile settings do not overwrite your
custom XML settings. For more information, see the FortiClient XML Reference.

101 Administration Guide


Fortinet Technologies Inc.
Advanced features (Microsoft Windows) Remote Access

Activate VPN before Windows Log on


When using VPN before Windows log on, the user is offered a list of pre-configured VPN connections to select
from on the Windows log on screen. This requires that the Windows log on screen is not bypassed. As such, if
VPN before Windows log on is enabled, it is required to also check the check box Users must enter a user name
and password to use this computer in the User Accounts dialog box.
To make this change, proceed as follows:

In FortiClient:

1. Create the VPN tunnels of interest or connect to FortiClient EMS, which provides the VPN list of interest
2. Enable VPN before log on to the FortiClient Settings page, see VPN options on page 116.
On the Microsoft Windows system,

1. Start an elevated command line prompt.


2. Enter control passwords2 and press Enter. Alternatively, you can enter netplwiz.
3. Check the check box for Users must enter a user name and password to use this computer.
4. Click OK to save the setting.

Connect VPNs before logging on (AD environments)


The VPN <options> tag holds global information controlling VPN states. The VPN will connect first, then log on
to AD/Domain.
<forticlient_configuration>
<vpn>
<options>
<show_vpn_before_logon>1</show_vpn_before_logon>
<use_windows_credentials>1</use_windows_credentials>
</options>
</vpn>
</forticlient_configuration>

Create redundant IPsec VPNs


To use VPN resiliency/redundancy, you will configure a list of VPN gateways, instead of just one:
<forticlient_configuration>
<vpn>
<ipsecvpn>
<options>
...
</options>
<connections>
<connection>
<name>psk_90_1</name>
<type>manual</type>
<ike_settings>
<prompt_certificate>0</prompt_certificate>
<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server>
<redundantsortmethod>1</redundantsortmethod>
...
</ike_settings>
</connection>

Administration Guide 102


Fortinet Technologies Inc.
Remote Access Advanced features (Mac OS X)

</connections>
</ipsecvpn>
</vpn>
</forticlient_configuration>
This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important
elements to complete the IPsec VPN configuration are omitted.

RedundantSortMethod = 1
This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate
which responds the fastest.

RedundantSortMethod = 0
By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based
configurations will try to connect to the FortiGate starting with the first in the list.

Create priority-based SSL VPN connections


SSL VPN supports priority based configurations for redundancy.
<forticlient_configuration>
<vpn>
<sslvpn>
<options>
<enabled>1</enabled>
...
</options>
<connections>
<connection>
<name>ssl_90_1</name>
<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server>
...
</connection>
</connections>
</sslvpn>
</vpn>
</forticlient_configuration>
This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important
elements to complete the SSL VPN configuration are omitted.

For SSL VPN, all FortiGate must use the same TCP port.

Advanced features (Mac OS X)

When deploying a custom FortiClient XML configuration, use the advanced FortiClient
profile options in EMS to ensure the FortiClient Profile settings do not overwrite your
custom XML settings. For more information, see the FortiClient XML Reference.

103 Administration Guide


Fortinet Technologies Inc.
Advanced features (Mac OS X) Remote Access

Create redundant IPsec VPNs


To use VPN resiliency/redundancy, you will configure a list of FortiGate or EMS IP/FQDN servers, instead of just
one:
<forticlient_configuration>
<vpn>
<ipsecvpn>
<options>
...
</options>
<connections>
<connection>
<name>psk_90_1</name>
<type>manual</type>
<ike_settings>
<prompt_certificate>0</prompt_certificate>
<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server>
<redundantsortmethod>1</redundantsortmethod>
...
</ike_settings>
</connection>
</connections>
</ipsecvpn>
</vpn>
</forticlient_configuration>
This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important
elements to complete the IPsec VPN configuration are omitted.

RedundantSortMethod = 1
This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate or
EMS which responds the fastest.

RedundantSortMethod = 0
By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based
configurations will try to connect to the FortiGate or EMS starting with the first in the list.

Create priority-based SSL VPN connections


SSL VPN supports priority based configurations for redundancy.
<forticlient_configuration>
<vpn>
<sslvpn>
<options>
<enabled>1</enabled>
...
</options>
<connections>
<connection>
<name>ssl_90_1</name>
<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server>
...

Administration Guide 104


Fortinet Technologies Inc.
Remote Access VPN tunnel & script

</connection>
</connections>
</sslvpn>
</vpn>
</forticlient_configuration>
This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important
elements to complete the SSL VPN configuration are omitted.

For SSL VPN, all FortiGate or EMS must use the same TCP port.

VPN tunnel & script

This feature supports auto running a user-defined script after the configured VPN tunnel is connected or
disconnected. The scripts are batch scripts in Windows and shell scripts in Mac OS X. They are defined as part of
a VPN tunnel configuration on EMS's XML format FortiClient profile. The profile will be pushed down to
FortiClient from EMS. When FortiClient's VPN tunnel is connected or disconnected, the respective script defined
under that tunnel will be executed.

Windows

Map a network drive after tunnel connection


The script will map a network drive and copy some files after the tunnel is connected.
<on_connect>
<script>
<os>windows</os>
<script>
<script>
<![CDATA[ net use x: \\192.168.10.3\ftpshare /user:Ted Mosby md c:\test copy
x:\PDF\*.* c:\test ]]>
</script>
</script>
</script>
</on_connect>

Delete a network drive after tunnel is disconnected


The script will delete the network drive after the tunnel is disconnected.
<on_disconnect>
<script>
<os>windows</os>
<script>
<script>
<![CDATA[ net use x: /DELETE ]]>
</script>
</script>
</script>
</on_disconnect>

105 Administration Guide


Fortinet Technologies Inc.
VPN tunnel & script Remote Access

OS X

Map a network drive after tunnel connection


The script will map a network drive and copy some files after the tunnel is connected.
<on_connect>
<script>
<os>mac</os>
<script>
/bin/mkdir /Volumes/installers
/sbin/ping -c 4 192.168.1.147 > /Users/admin/Desktop/dropbox/p.txt
/sbin/mount -t smbfs //kimberly:RigUpTown@ssldemo.fortinet.com/installers
/Volumes/installers/ > /Users/admin/Desktop/dropbox/m.txt
/bin/mkdir /Users/admin/Desktop/dropbox/dir
/bin/cp /Volumes/installers/*.log /Users/admin/Desktop/dropbox/dir/.
</script>
</script>
</on_connect>

Delete a network drive after tunnel is disconnected


The script will delete the network drive after the tunnel is disconnected.
<on_disconnect>
<script>
<os>mac</os>
<script>
/sbin/umount /Volumes/installers
/bin/rm -fr /Users/admin/Desktop/dropbox/*
</script>
</script>
</on_disconnect>

Administration Guide 106


Fortinet Technologies Inc.
Vulnerability Scan

FortiClient includes a Vulnerability Scan component to check endpoints for known vulnerabilities. The
vulnerability scan results can include:

l List of vulnerabilities detected


l How many detected vulnerabilities are rated as critical, high, medium, or low threats
l Links to more information, including links to the FortiGuard Center (FortiGuard.com)
l One-click link to install patches and resolve as many identified vulnerabilities as possible
l List of patches that require manual installation by the endpoint user to resolve vulnerabilities
FortiClient can detect known vulnerabilities for many software. For the list of software, see Appendix C -
Vulnerability Patches on page 126.

Compliance and vulnerability scanning


If compliance is enabled for FortiClient in managed mode, and FortiGate compliance rules require it, all
automatic and manual software patches must be installed within a time frame to maintain compliant status and
network access. The default time frame is 1 day; however, the FortiGate administrator may choose a different
time frame. Contact your system administrator to learn how long you have to fix vulnerabilities. For more
information about compliance, see Compliance on page 43.

Enable vulnerability scan

Vulnerability scanning is enabled by default. You cannot disable or configure the vulnerability scan feature by
using the FortiClient console.

When FortiClient is in managed mode and managed by EMS, an administrator might configure and lock
vulnerability scanning for you. An administrator might also disable vulnerability scanning.

Scan now

You can scan on-demand. When the scan is complete, FortiClient displays a summary of vulnerabilities found on
the endpoint. If any detected vulnerabilities require you to manually install remediation patches, the list of
affected software is also displayed.

107 Administration Guide


Fortinet Technologies Inc.
Scan now Vulnerability Scan

To scan now:

1. On the Vulnerability Scan tab, click the Scan Now button.

FortiClient scans the endpoint for known vulnerabilities, and a summary of vulnerabilities found on the
system is displayed.

If any detected vulnerabilities require you to manually install remediation patches, a dialog box is displayed
that informs you what software should be updated. If you fail to update the identified software, you might
lose access to the network. If you lose access to the network, contact your system administrator for
assistance. Following is an example of the dialog box:

Administration Guide 108


Fortinet Technologies Inc.
Vulnerability Scan Automatically fix detected vulnerabilities

2. If applicable, read the list of software that requires manual installation of software patches, and click OK. See
Manually fix detected vulnerabilities on page 111.

Cancel scan
In standalone mode, when FortiClient is scanning for vulnerabilities, a Cancel Scan button is displayed, and you
can click the button to cancel the scan.

To cancel a vulnerability scan:

1. On the Vulnerability Scan tab, click the Cancel Scan button.

The vulnerability scan is canceled.

Automatically fix detected vulnerabilities

The Vulnerability Scan tab identifies vulnerabilities on the endpoint that should be fixed by installing software
patches. You can automatically install software patches by clicking the Fix Now link, or you can review detected
vulnerabilities before installing software patches.

Any software patches that cannot be automatically installed are listed on the Vulnerability Scan tab, and you
should manually download and install software patches for the vulnerable software.

If compliance is enabled for FortiClient in managed mode, and FortiGate compliance rules require it, all software
patches must be installed within a time frame to maintain compliant status and network access. See also
Compliance and vulnerability scanning on page 107.

In managed mode, you might be unable to automatically fix vulnerabilities. An admin-


istrator might have the vulnerabilities automatically fixed for you.

To automatically fix detected vulnerabilities:

1. In the Vulnerability Scan tab, beside Vulnerabilities Detected, click Fix Now to automatically install software
patches to fix the detected vulnerabilities.

109 Administration Guide


Fortinet Technologies Inc.
Automatically fix detected vulnerabilities Vulnerability Scan

FortiClient installs the software patches. You may need to reboot the endpoint device to complete
installation.

Review detected vulnerabilities before fixing

To review detected vulnerabilities before fixing:

1. In the Vulnerability Scan tab, beside Vulnerabilities Detected, click the <number> link to review information
about vulnerabilities before installing patches.
A page of details is displayed.

2. Click each category with vulnerabilities to view its details. For example, click the Browser category to view details
about detected browser vulnerabilities.

3. Click the Details icon for each vulnerability to view its details, and click OK to close the detailed view.

Administration Guide 110


Fortinet Technologies Inc.
Vulnerability Scan Manually fix detected vulnerabilities

4. In each category, select the check box for the software for which you want to install patches.
For example, in the OS category, expand Operating System, and select the check box beside the
vulnerabilities for which you want to install patches.

You may be unable to choose which patches to install, depending on your FortiClient configuration. You are
also unable to select the check box for any software that requires manual installation of patches.

5. Click the Install Selected button to install patches.


FortiClient installs the patches. You might need to reboot the endpoint device to complete installation.

Manually fix detected vulnerabilities

In some cases, FortiClient cannot automatically install software patches, and you must manually download and
install software patches. After each scan, the Vulnerability Scan tab lists any software that requires you to
manually download and install software patches. See also Scan now on page 107.

If a software vendor has ceased to provide patches for its software, the software is
tagged as obsolete in the signatures used by the Vulnerability Scan feature, and you
must uninstall the software to fix detected vulnerabilities. The obsolete tag is visible in
the details. See View details about vulnerabilities on page 112.

If compliance is enabled for FortiClient in managed mode, and FortiGate compliance rules require it, all software
patches must be installed within a time frame to maintain compliant status and network access. See also
Compliance and vulnerability scanning on page 107.

To manually fix detected vulnerabilities:

1. On the Vulnerability Scan tab, identify the software that requires manual fixing.
Any software with detected vulnerabilities that requires you to manually download and install software
patches is displayed in the Vulnerabilities Detected area. In the following example, Java JDK and
PHP require manual updates:

111 Administration Guide


Fortinet Technologies Inc.
Manually fix detected vulnerabilities Vulnerability Scan

2. Download the latest software patch for each software from the Internet, and install it on the endpoint.
3. After you install the software for all remaining vulnerabilities, go to the Vulnerability Scan tab, and click the Scan
Now button to instruct FortiClient to confirm that the vulnerabilities are fixed.
If the manual fixes were successful, the Vulnerability Scan tab displays Vulnerabilities Detected: None after
the scan completes.

View details about vulnerabilities

To view details about vulnerabilities:

1. On the Vulnerability Scan tab, any software with detected vulnerabilities that requires you to manually download
and install software patches is displayed in the Vulnerabilities Detected area.
2. You can view more details by clicking the Vulnerabilities Detected <number> link or the category for detected
vulnerabilities, such as Critical, High, Medium, or Low.
3. Click the Details icon.

If the detected vulnerability requires you to manually download and install a fix, it is communicated in the
Recommended Action section. In addition, the following information is displayed: The fix for the
vulnerability must be manually installed from: <link>.

Administration Guide 112


Fortinet Technologies Inc.
Vulnerability Scan View vulnerability scan history

4. Click OK to close the window.

View vulnerability scan history

You can view the history of last seven vulnerability scans and patches. You can view the history to see what
software was identified as vulnerable and whether patches for the vulnerabilities were installed.

To view vulnerability patch history:

1. In the FortiClient console, click the Vulnerability Scan tab.


2. Click the Scan History link.
The vulnerability patch history is displayed by date. Click each date and software name to expand it and view
details or contract it and hide details.

3. Click Close to return to the Vulnerability Scan tab.

113 Administration Guide


Fortinet Technologies Inc.
Settings

This section describes the options on the File > Settings page.

What options you can change on the Settings page depends on whether FortiClient is in standalone or managed
mode. In managed mode, settings might by locked by FortiGate or EMS.

System

You can back up or restore a FortiClient configuration.

Backup or restore full configuration


You can back up the FortiClient configuration to an XML file, and restore the FortiClient configuration from an
XML file.

To backup or restore the full configuration file:

1. Go to File > Settings.


2. Expand the System section, then select Backup or Restore as needed.
When performing a backup, you can select the file destination, password requirements, and add comments
as needed.

Logging

This setting can only be configured when FortiClient is in standalone mode.

Enable logging for features


You can enable logging for modules that are available in FortiClient console. Logging options are hidden for
modules that are not available in FortiClient console.

To enable logging for features:

1. Go to File > Settings.


2. Expand the Logging section.

Administration Guide 114


Fortinet Technologies Inc.
Settings Logging

3. Select the features for which you want to add entries to the log file:

VPN Select VPN to enable logging for this feature.

Application Firewall Select Application Firewall to enable logging for this feature.

AntiVirus Select AntiVirus to enable logging for this feature.

Update Select Update to enable logging for FortiClient software updates.

Sandboxing Select Sandboxing to enable logging for this feature.

Telemetry Select Telemetry to enable logging for this feature.

Web Security/Web Filter Select Web Security or Web Filter to enable logging for this feature.

Vulnerability Scan Select Vulnerability Scan to enable logging for this feature.

4. Select a logging level, and click OK.

Emergency The system becomes unstable.

Alert Immediate action is required.

Critical Functionality is affected.

Error An error condition exists and functionality could be affected.

Warning Functionality could be affected.

Notice Information about normal events.

Information General information about system operations.

Debug Debug FortiClient.

It is recommended to use the debug logging level only when needed. Do not leave the
debug logging level permanently enabled in a production environment to avoid
unnecessarily consuming disk space.

Send logs to FortiAnalyzer or FortiManager


The following products are required for an administrator to configure FortiClient in managed mode to send logs to
FortiAnalyzer or FortiManager:

l FortiClient
l FortiGate or EMS
l FortiAnalyzer or FortiManager

115 Administration Guide


Fortinet Technologies Inc.
VPN options Settings

When FortiClient connects Telemetry to FortiGate or EMS, the endpoint can upload logs to FortiAnalyzer or
FortiManager units on port 514 TCP.

FortiClient Telemetry must connect to FortiGate or EMS for FortiClient to upload logs
to FortiAnalyzer or FortiManager.

Export the log file


You can export the log file (.log) from FortiClient.

To export log files:

1. Go to File > Settings.


2. Expand the Logging section, and click the Export logs link.
The Save As dialog box is displayed.

3. Select a location for the log file, type a name for the log file, and click Save.

Clear entries in the log file

To clear entries in the log file:

1. Go to File > Settings.


2. Expand the Logging section, and click the Clear logs link.
A confirmation dialog box is displayed.

3. Click Yes to confirm.


The contents of the log file are deleted, and a confirmation dialog box is displayed.

4. Click OK.

VPN options

To configure VPN options:

1. Go to File > Settings from the toolbar, and expand the VPN section.
2. Select Enable VPN before logon to enable VPN before log on.
3. Click OK.

Administration Guide 116


Fortinet Technologies Inc.
Settings Antivirus options

Antivirus options

To configure antivirus options:

1. Go to File > Settings, and expand the Antivirus Options section.

2. Configure the following settings, and click OK:

Grayware Options Grayware is an umbrella term applied to a wide range of malicious


applications such as spyware, adware and key loggers that are often
secretly installed on a user's computer to track and/or report certain
information back to an external source without the user's permission or
knowledge.

Adware Select to enable adware detection and quarantine during the antivirus
scan.

Riskware Select to enable riskware detection and quarantine during the antivirus
scan.

Scan removable media on Select to scan removable media when it is inserted.


insertion

Alert when viruses are Select to have FortiClient provide a notification alert when a threat is
detected detected on your personal computer. When Alert when viruses are
detected under AntiVirus Options is not selected, you will not receive the
virus alert dialog box when attempting to download a virus in a web
browser.

Pause background Select to pause background scanning when your computer is operating on
scanning on battery power battery power.

Enable FortiGuard Select to automatically send suspicious files to the FortiGuard Network for
Analytics analysis.

Advanced options

These settings can be configured only when FortiClient is in standalone mode. When FortiClient Telemetry is
connected to FortiGate or EMS, these settings are set by the XML configuration (if configured).

117 Administration Guide


Fortinet Technologies Inc.
Single Sign-On mobility agent Settings

To configure advanced options:

1. Go to File > Settings, and expand the Advance section.

2. Configure the following settings, and click OK:

Enable Single Sign-On Select to enable Single Sign-On Mobility Agent for FortiAuthenticator. To
mobility agent use this feature you need to apply a FortiClient SSO mobility agent license
to your FortiAuthenticator device.

Server address Enter the FortiAuthenticator IP address.

Customize port Enter the port number. The default port is 8001.

Pre-shared Key Enter the pre-shared key. The pre-shared key should match the key
configured on your FortiAuthenticator device.

Disable proxy Select to disable proxy when troubleshooting FortiClient.


(troubleshooting only)

Default tab Select the default tab to be displayed when opening FortiClient.

Single Sign-On mobility agent

The FortiClient Single Sign-On (SSO) Mobility Agent is a client that updates FortiAuthenticator with user logon
and network information.

FortiClient/FortiAuthenticator protocol
The FortiAuthenticator listens on a configurable TCP port. FortiClient connects to FortiAuthenticator using
TLS/SSL with two-way certificate authentication. The FortiClient sends a logon packet to FortiAuthenticator,
which replies with an acknowledgment packet.

FortiClient/FortiAuthenticator communication requires the following:

l The IP address should be unique in the entire network.


l The FortiAuthenticator should be accessible from clients in all locations.
l The FortiAuthenticator should be accessible by all FortiGates.

FortiClient Single Sign-On Mobility Agent requires a FortiAuthenticator running 2.0.0


or later, or v3.0.0 or later. Enter the FortiAuthenticator (server) IP address, port num-
ber, and the pre-shared key configured on the FortiAuthenticator.

Administration Guide 118


Fortinet Technologies Inc.
Settings Single Sign-On mobility agent

Enable Single Sign-On mobility agent on FortiClient:

1. In FortiClient console, go to File > Settings.


2. Expand the Advanced section, and select Enable Single Sign-On mobility agent.
3. Type the FortiAuthenticator server address and the pre-shared key.
4. Click OK.

Enable FortiClient SSO mobility agent service on the FortiAuthenticator:

1. In FortiAuthenticator, select Fortinet SSO Methods > SSO > General. The Edit SSO Configuration page opens.
2. Select Enable FortiClient SSO Mobility Agent Service and enter a TCP port value for the listening port.
3. Select Enable authentication and enter a secret key or password.
4. Select OK to save the setting.

Enable FortiClient FSSO services on the interface:

1. Select System > Network > Interfaces. Select the interface and select Edit from the toolbar. The Edit Network
Interface window opens.

2. Select the checkbox to enable FortiClient FSSO.


3. Select OK to save the setting.

To enable the FortiClient SSO Mobility Agent Service on the FortiAuthenticator, you
must first apply the applicable FortiClient license for FortiAuthenticator. For more
information, see the FortiAuthenticator Administration Guide in the Fortinet Docu-
ment Library.
For information on purchasing a FortiClient license for FortiAuthenticator, please con-
tact your authorized Fortinet reseller.

119 Administration Guide


Fortinet Technologies Inc.
Configuration lock Settings

Configuration lock

To prevent unauthorized changes to the FortiClient configuration, select the lock icon located at the bottom left of
the Settings page. You will be prompted to enter and confirm a password. When the configuration is locked,
configuration changes are restricted, and FortiClient cannot be shut down or uninstalled.

When the configuration is locked you can perform the following actions on the Settings page:

l Back up the FortiClient configuration


l Export FortiClient logs
To perform configuration changes, or to shut down FortiClient, select the lock icon and enter the password used
to lock the configuration.

FortiTray

When FortiClient is running on your system, you can select the FortiTray icon in the Windows system tray to
perform various actions. The FortiTray icon is available in the system tray even when the FortiClient console is
closed.

l Default menu options:


l Open FortiClient console
l Shut down FortiClient
l Dynamic menu options, depending on configuration:
l Connect to a configured IPsec VPN or SSL VPN connection
l Display the antivirus scan window (if a scheduled scan is currently running)
l Display the Vulnerability scan window (if a vulnerability scan is running)
If you hover the mouse cursor over the FortiTray icon, you will receive various notifications including the version,
antivirus signature, and antivirus engine.

When the configuration is locked, the option to shut down FortiClient from FortiTray is
grayed out.

Establishing VPN connections from FortiTray

To establish a VPN connection from FortiTray:

1. Select the Windows System Tray.


2. Right-click the FortiTray icon, and select a VPN connection configuration.
3. Type your username and password in the authentication window, and click OK to connect.

Administration Guide 120


Fortinet Technologies Inc.
Diagnostic Tool

You can access the FortiClient Diagnostic Tool from the FortiClient console. Go to Help > About.

On FortiClient (Windows), you can also access the Diagnostic Tool from the Start
menu.

You can use the FortiClient Diagnostic tool to generate a debug report, and then provide the debug report to the
FortiClient team to help with troubleshooting. For example, if you are working with customer support on a
problem, you can generate a debug report, and email the report to customer support to help with troubleshooting.

To generate debug reports:

1. Go to Help > About.

2. Click the Diagnostic Tool button in the top-right corner. The FortiClient Diagnostic Tool dialog box is displayed.

121 Administration Guide


Fortinet Technologies Inc.
Diagnostic Tool

3. Click Run Tool.


A window is displayed the provides status information.

4. (Optional) When prompted, launch and disconnect the VPN tunnels for which you want to collect information.
A Diagnostic_Result file is created and displayed in a folder on the endpoint device. The default folder
location is C:\Users <user name>\AppData\Local\Temp\.

5. Click Close.

Administration Guide 122


Fortinet Technologies Inc.
Appendix A - FortiClient API

You can operate FortiClient VPNs using the COM-based FortiClient API. The API can be used with IPsec VPN
only. SSL VPN is currently not supported.

Overview

The FortiClient COM library provides functionality to:

l Retrieve a list of the VPN tunnels configured in the FortiClient application.


l Start and stop any of the configured VPN tunnels.
l Send XAuth credentials.
l Retrieve status information:
l configured tunnel list
l active tunnel name
l connected or not
l idle or not
l remaining key life
l Respond to FortiClient-related events:
l VPN connect
l VPN disconnect
l VPN is idle
l XAuth authentication requested
For more information, see the vpn_com_examples ZIP file located in the VPN Automation file folder in the
FortiClientTools file.

API reference

The following tables provide API reference values.

Disconnect(bstrTunnelName As Close the named VPN tunnel.


String)

GetPolicy pbAV As Boolean, pbAS As Command is deprecated in FortiClient v5.0.


Boolean, pbFW As Boolean, pbWF
As Boolean)

GetRemainingKeyLife(bstrTunnelName Retrieve the remaining key life for the named con-
As String, pSecs As Long, nection. Whether keylife time (pSecs) or data
pKBytes As Long)
(pKBytes) are significant depends on the detailed set-
tings in the FortiClient application.

123 Administration Guide


Fortinet Technologies Inc.
API reference Appendix A - FortiClient API

MakeSystemPolicyCompliant() Command is deprecated in FortiClient v5.0.

SendXAuthResponse (tunnelName As Send XAuth credentials for the named connection:


String, userName As String, l User name, Password
password As String,
savePassword As Boolean) l True if password should be saved.

SetPolicy (bAV As Boolean, bAS As Command is deprecated in FortiClient v5.0.


Boolean, bFW As Boolean, bWF
As Boolean)

GetTunnelList() Retrieve the list of all connections configured in the


FortiClient application.

IsConnected (bstrTunnelName As Return True if the named connection is up.


String) As Boolean

IsIdle (bstrTunnelName As String) Return True if the named connection is idle.


As Boolean

OnDisconnect(bstrTunnelName As Connection disconnected.


String)

OnIdle(bstrTunnelName As String) Connection idle.

OnOutOfCompliance(bAV As Boolean, Command is deprecated in FortiClient v5.0.


bAS As Boolean, bFW As
Boolean, bWF As Boolean)

OnXAuthRequest(bstrTunnelName As The VPN peer on the named connection requests


String) XAuth authentication.

Administration Guide 124


Fortinet Technologies Inc.
Appendix B- FortiClient Log Messages

For a list of FortiClient log messages, see the FortiClient 5.6.0 Online Help at
http://docs.fortinet.com/forticlient/admin-guides. The table of log messages is too wide to fit into the page size
of the FortiClient 5.6.0 Administration Guide.

125 Administration Guide


Fortinet Technologies Inc.
Appendix C - Vulnerability Patches

FortiClient checks many applications for vulnerabilities. FortiClient can automatically patch vulnerabilities from
some applications, but not all applications. For some applications, the user must manually patch vulnerabilities.

For the latest list of supported software, see the FortiGuard Center (FortiGuard.com) .

FortiClient (Windows)

Automatic vulnerability patching


FortiClient (Windows) automatically patches vulnerabilities for the following software:

l 7-Zip
l Microsoft Bulletin
l Apple iTunes
l Mozilla Firefox
l Mozilla Firefox ESR
l Foxit Reader
l Java JRE
l Wireshark
l Mozilla Thunderbird
l Adobe Air
l Adobe Acrobat
l Adobe Acrobat DC
l Adobe Reader
l Adobe Acrobat Reader DC
l Adobe Flash Player Active X plug-in for Internet Explorer
l Adobe Flash Player NPAPI plug-in for Firefox
l PostgreSQL (version 9.1 or later)
l VideoLAN VLC Media Player
l VMware Player
l VMware Workstation Player

Manual vulnerability patching


FortiClient (Windows) automatically checks the following software for vulnerabilities, but cannot automatically
patch vulnerabilities. The user must manually locate, download, and install updates to the following software to
patch vulnerabilities:

l Adobe AIR SDK
l Adobe Acrobat X

Administration Guide 126


Fortinet Technologies Inc.
Appendix C - Vulnerability Patches FortiClient (OS X)

l Adobe Acrobat Reader X


l Adobe Shockwave Player
l Apple QuickTime
l Apple Safari
l Jave JDK
l Google Chrome
l Google Picasa
l Oracle MySQL server
l PHP
l PostgreSQL (earlier than version 9.1)

FortiClient (OS X)

Automatic vulnerability patching


FortiClient (OS X) automatically patches vulnerabilities for the following software:

l Adobe Acrobat
l Adobe Acrobat DC
l Adobe Acrobat Reader DC
l Adobe Flash Player NPAPI plug-in
l Apple Products
l Mozilla Firefox
l Mozilla Firefox ESR
l Google Chrome
l Java JRE
l SeaMonkey
l Mozilla Thunderbird
l Mozilla Thunderbird ESR
l VideoLAN VLC Media Player
l VMware Fusion
l Wireshark

Manual vulnerability patching


FortiClient (OS X) automatically checks the following software for vulnerabilities, but cannot automatically patch
vulnerabilities. The user must manually locate, download, and install updates to the following software to patch
vulnerabilities:

l Java JDK
l MySQL Server
l Adobe Reader

127 Administration Guide


Fortinet Technologies Inc.
Appendix D - FortiClient Processes

This section identifies the processes used by FortiClient (Windows) and FortiClient (OS X).

FortiClient (Windows) processes

The following table identifies the processes in Task Manager used by FortiClient (Windows):

Process Name Process Purpose

FortiClient Application Database Service Network Access Control (NAC) and Antivirus

FortiClient Console FortiClient GUI

FortiClient IPsec VPN Service Remote Access for IPsec VPN

FortiClient Firewall Service Application Firewall

FortiClient Logging Daemon Logging

FortiClient Diagnostic Tool Diagnostic Tool

FortiClient Network Access Control FortiClient Telemetry

FortiClient Proxy Service Antivirus and Web Filter

FortiClient Realtime AntiVirus Protection Antivirus

FortiClient Sandbox Agent Sandbox Detection

FortiClient Scan Server Antivirus to offload Antivirus scanning to a separate process

FortiClient Scheduler Windows ensures that FortiClient services are running when
needed

FortiClient SSLVPN daemon Remote Access for SSL VPN

FortiClient System Helper FortiClient ensures that 32-bit processes can access 64-bit
resources

FortiClient System Tray Controller FortiTray

FortiClient User Avatar Agent FortiClient Console and FortiClient Telemetry use to obtain
avatar images for users

Administration Guide 128


Fortinet Technologies Inc.
Appendix D - FortiClient Processes FortiClient (OS X) processes

Process Name Process Purpose

FortiClient Virus Feedback Service Antivirus and FortiClient Console use to submit samples to
FortiGuard

FortiClient Vulnerability Scan Daemon FortiClient Vulnerability Scan engine


and Engine

FortiClient Web Filter Service Used by Web Filter

FortiClient (OS X) processes

FortiClient (OS X) uses the following processes:

l The process for FortiClient main GUI is located at


/Application/FortiClient.app/Contents/MacOS/FortiClient
l The process for FortiTray controller is located at 
/Application/FortiClient.app/Contents/Resources/runtime.helper/FortiClientAgent
.app/MacOS/FortiClientAgent
l The process for FortiClient upgrade GUI is located at 
/Application/FortiClient.app/Contents/Resources/runtime.helper/FortiClientUpdat
e.app/Contents/MacOS/FortiClientUpdate
The following table identifies the processes in the following location used by FortiClient (OS X): 
/Library/Application Support/Fortinet/FortiClient/bin:

Process Name Process Purpose

fctservctl FortiClient Service Controller

epctrl FortiClient endpoint control daemon

ftgdagent Web Filter

fmon AntiVirus scan main program

scanunit AntiVirus scan scanner

vulscan Vulnerability scan

fctappfw Firewall Service

fssoavgent_launchagent FortiClient single sign on agent

fssoavgent_launchdaemon FortiClient single sign on daemon

fctctld VPN controller

129 Administration Guide


Fortinet Technologies Inc.
FortiClient (OS X) processes Appendix D - FortiClient Processes

Process Name Process Purpose

sslvpnd SSL VPN Daemon

racoon IPsec VPN Service

racoonctl IPsec VPN Controller

fctupdate FortiClient update tool

fctupgrade FortiClient upgrade tool

fcconfig FortiClient Configurator tool

Administration Guide 130


Fortinet Technologies Inc.
Copyright© 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.